system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-06 09:51:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Shigeru Yoshida c821a88bd7 kcm: Fix memory leak in error path of kcm_sendmsg() 
syzbot reported a memory leak like below:

BUG: memory leak
unreferenced object 0xffff88810b088c00 (size 240):
  comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s)
  hex dump (first 32 bytes):
    00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634
    [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline]
    [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815
    [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline]
    [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748
    [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494
    [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548
    [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577
    [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append
newly allocated skbs to 'head'. If some bytes are copied, an error occurred,
and jumped to out_error label, 'last_skb' is left unmodified. A later
kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the
'head' frag_list and causing the leak.

This patch fixes this issue by properly updating the last allocated skb in
'last_skb'.

Fixes: ab7ac4eb98 ("kcm: Kernel Connection Multiplexor module")
Reported-and-tested-by: syzbot+6f98de741f7dbbfc4ccb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6f98de741f7dbbfc4ccb
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-09-11 10:03:08 +01:00
..
6lowpan
9p
802
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
appletalk
atm
ax25 ax.25: Update to register_net_sysctl_sz 2023-08-15 15:26:17 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-24 10:51:39 -07:00
bluetooth TTY/Serial driver changes for 6.6-rc1 2023-09-01 09:38:00 -07:00
bpf bpf: Prevent inlining of bpf_fentry_test7() 2023-08-30 08:36:17 +02:00
bpfilter
bridge sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
caif
can net: annotate data-races around sk->sk_tsflags 2023-09-01 07:27:33 +01:00
ceph libceph: do not include crypto/algapi.h 2023-08-24 11:24:37 +02:00
core Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-29 07:44:56 +02:00
devlink devlink: move devlink_notify_register/unregister() to dev.c 2023-08-28 08:02:24 -07:00
dns_resolver
dsa
ethernet
ethtool ethtool: netlink: always pass genl_info to .prepare_data 2023-08-15 15:01:03 -07:00
handshake net/handshake: fix null-ptr-deref in handshake_nl_done_doit() 2023-09-01 07:25:14 +01:00
hsr hsr: Fix uninit-value access in fill_frame_info() 2023-09-11 08:28:36 +01:00
ieee802154 sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
ife
ipv4 net: ipv4: fix one memleak in __inet_del_ifa() 2023-09-08 08:02:17 +01:00
ipv6 Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
iucv
kcm kcm: Fix memory leak in error path of kcm_sendmsg() 2023-09-11 10:03:08 +01:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp inet: introduce inet->inet_flags 2023-08-16 11:09:16 +01:00
l3mdev
lapb
llc
mac80211 wireless-next patches for v6.6 2023-08-25 18:35:09 -07:00
mac802154
mctp
mpls networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
mptcp Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
ncsi genetlink: make genl_info->nlhdr const 2023-08-15 14:54:44 -07:00
netfilter Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
netlabel
netlink genetlink: add a family pointer to struct genl_info 2023-08-15 15:01:03 -07:00
netrom netrom: Deny concurrent connect(). 2023-08-28 06:58:46 +01:00
nfc TTY/Serial driver changes for 6.6-rc1 2023-09-01 09:38:00 -07:00
nsh
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-10 14:10:53 -07:00
phonet
psample
qrtr
rds sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
rfkill
rose
rxrpc
sched net: sched: sch_qfq: Fix UAF in qfq_dequeue() 2023-09-05 08:54:12 +02:00
sctp Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
smc net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add 2023-09-10 19:31:42 +01:00
strparser
sunrpc NFS CLient Updates for Linux 6.6 2023-08-31 15:36:41 -07:00
switchdev
tipc - Some swap cleanups from Ma Wupeng ("fix WARN_ON in add_to_avail_list") 2023-08-29 14:25:26 -07:00
tls tls: get cipher_name from cipher_desc in tls_set_sw_offload 2023-08-27 17:17:42 -07:00
unix Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
vmw_vsock
wireless wifi: nl80211: Remove unused declaration nl80211_pmsr_dump_results() 2023-08-22 21:40:40 +02:00
x25
xdp xsk: Fix xsk_diag use-after-free error during socket cleanup 2023-08-31 13:21:11 +02:00
xfrm sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
sysctl_net.c sysctl: Add size to register_net_sysctl function 2023-08-15 15:26:17 -07:00