www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Arnaldo Carvalho de Melo <acme@redhat.com>
	Mon, 14 Mar 2016 12:56:35 +0000 (09:56 -0300)
committer	Dhaval Giani <dhaval.giani@oracle.com>
	Fri, 20 Jan 2017 22:22:00 +0000 (17:22 -0500)
commit	a230313b7645aea92d50d787262436f4eb30eacb
tree	7940566947a32556c018d9a9fe5f998677c35545	tree
parent	ad94d1fec858b86a2f719af3e340f2edda49357d	commit \| diff

net: Fix use after free in the recvmmsg exit path

Orabug: 25308056

[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ]

The syzkaller fuzzer hit the following use-after-free:

  Call Trace:
   [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
   [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
   [<     inline     >] SYSC_recvmmsg net/socket.c:2281
   [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
   [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
  arch/x86/entry/entry_64.S:185

And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.

Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit 8ca7bf099ae0e6ff096b3910895b5285a112aeb5)
Signed-off-by: Dhaval Giani <dhaval.giani@oracle.com>