Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net/dccp
History
Andrey Ryabinin 44b2238b8c net/dccp: fix use after free in tw_timer_handler() 
commit ec7cb62d18d854ea09df8b7194e7e710985f8b9a upstream.

DCCP doesn't purge timewait sockets on network namespace shutdown.
So, after net namespace destroyed we could still have an active timer
which will trigger use after free in tw_timer_handler():

    BUG: KASAN: use-after-free in tw_timer_handler+0x4a/0xa0 at addr ffff88010e0d1e10
    Read of size 8 by task swapper/1/0
    Call Trace:
     __asan_load8+0x54/0x90
     tw_timer_handler+0x4a/0xa0
     call_timer_fn+0x127/0x480
     expire_timers+0x1db/0x2e0
     run_timer_softirq+0x12f/0x2a0
     __do_softirq+0x105/0x5b4
     irq_exit+0xdd/0xf0
     smp_apic_timer_interrupt+0x57/0x70
     apic_timer_interrupt+0x90/0xa0

    Object at ffff88010e0d1bc0, in cache net_namespace size: 6848
    Allocated:
     save_stack_trace+0x1b/0x20
     kasan_kmalloc+0xee/0x180
     kasan_slab_alloc+0x12/0x20
     kmem_cache_alloc+0x134/0x310
     copy_net_ns+0x8d/0x280
     create_new_namespaces+0x23f/0x340
     unshare_nsproxy_namespaces+0x75/0xf0
     SyS_unshare+0x299/0x4f0
     entry_SYSCALL_64_fastpath+0x18/0xad
    Freed:
     save_stack_trace+0x1b/0x20
     kasan_slab_free+0xae/0x180
     kmem_cache_free+0xb4/0x350
     net_drop_ns+0x3f/0x50
     cleanup_net+0x3df/0x450
     process_one_work+0x419/0xbb0
     worker_thread+0x92/0x850
     kthread+0x192/0x1e0
     ret_from_fork+0x2e/0x40

Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
timewait sockets on net namespace destruction and prevent above issue.

Fixes: f2bf415cfe ("mib: add net to NET_ADD_STATS_BH")
Change-Id: I092f047f2ae2c13f4610512047c5a75833e165d6
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: pass twdr parameter to inet_twsk_purge()
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 		2019-07-27 22:08:37 +02:00
..
ccids dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state 2019-07-27 21:46:32 +02:00
Kconfig net/dccp: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:39:34 -08:00
Makefile
ackvec.c
ackvec.h net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
ccid.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
ccid.h dccp: check ccid before dereferencing 2012-08-15 21:36:31 -07:00
dccp.h net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
diag.c
feat.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
feat.h
input.c dccp: fix freeing skb too early for IPV6_RECVPKTINFO 2017-08-01 03:09:10 -07:00
ipv4.c net/dccp: fix use after free in tw_timer_handler() 2019-07-27 22:08:37 +02:00
ipv6.c net/dccp: fix use after free in tw_timer_handler() 2019-07-27 22:08:37 +02:00
ipv6.h
minisocks.c dccp: Unlock sock before calling sk_free() 2019-07-27 21:44:00 +02:00
options.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
output.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
probe.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
proto.c dccp: check sk for closed state in dccp_sendmsg() 2019-07-27 21:49:52 +02:00
qpolicy.c
sysctl.c
timer.c