system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-04 02:10:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Duoming Zhou d01ffb9eee ax25: add refcount in ax25_dev to avoid UAF bugs 
If we dereference ax25_dev after we call kfree(ax25_dev) in
ax25_dev_device_down(), it will lead to concurrency UAF bugs.
There are eight syscall functions suffer from UAF bugs, include
ax25_bind(), ax25_release(), ax25_connect(), ax25_ioctl(),
ax25_getname(), ax25_sendmsg(), ax25_getsockopt() and
ax25_info_show().

One of the concurrency UAF can be shown as below:

  (USE)                       |    (FREE)
                              |  ax25_device_event
                              |    ax25_dev_device_down
ax25_bind                     |    ...
  ...                         |      kfree(ax25_dev)
  ax25_fillin_cb()            |    ...
    ax25_fillin_cb_from_dev() |
  ...                         |

The root cause of UAF bugs is that kfree(ax25_dev) in
ax25_dev_device_down() is not protected by any locks.
When ax25_dev, which there are still pointers point to,
is released, the concurrency UAF bug will happen.

This patch introduces refcount into ax25_dev in order to
guarantee that there are no pointers point to it when ax25_dev
is released.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-01-28 14:56:47 +00:00
..
6lowpan
9p virtio,vdpa,qemu_fw_cfg: features, cleanups, fixes 2022-01-18 10:05:48 +02:00
802 net: 802: Use memset_startat() to clear struct fields 2021-11-19 11:23:23 +00:00
8021q vlan: add net device refcount tracker 2021-12-07 20:44:58 -08:00
appletalk
atm proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
ax25 ax25: add refcount in ax25_dev to avoid UAF bugs 2022-01-28 14:56:47 +00:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
bluetooth proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
bpf
bpfilter
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2022-01-27 18:53:02 -08:00
caif Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-12-31 14:35:40 +00:00
can proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
ceph The highlight is the new mount "device" string syntax implemented 2022-01-20 13:46:20 +02:00
core Networking fixes for 5.17-rc2, including fixes from netfilter and can. 2022-01-27 20:58:39 +02:00
dcb
dccp dccp: Inline dccp_listen_start(). 2021-11-23 20:16:22 -08:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-12-31 14:35:40 +00:00
dns_resolver
dsa net: dsa: setup master before ports 2022-01-06 11:59:10 +00:00
ethernet gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers 2021-11-24 17:21:42 -08:00
ethtool ethtool: use phydev variable 2022-01-06 12:33:35 +00:00
hsr net: Write lock dev_base_lock without disabling bottom halves. 2021-11-29 12:12:36 +00:00
ieee802154
ife
ipv4 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2022-01-27 18:53:02 -08:00
ipv6 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2022-01-27 18:53:02 -08:00
iucv net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
kcm net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
key
l2tp l2tp: add netns refcount tracker to l2tp_dfs_seq_data 2021-12-10 06:38:27 -08:00
l3mdev
lapb
llc sock: Use sock_owned_by_user_nocheck() instead of sk_lock.owned. 2021-12-10 19:43:00 -08:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
mac802154
mctp mctp: test: zero out sockaddr 2022-01-11 20:26:36 -08:00
mpls Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-12-02 11:44:56 -08:00
mptcp mptcp: Use struct_group() to avoid cross-field memset() 2022-01-21 19:26:03 -08:00
ncsi all: replace find_next{,_zero}_bit with find_first{,_zero}_bit where appropriate 2022-01-15 08:47:31 -08:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2022-01-27 18:53:02 -08:00
netlabel lsm: security_task_getsecid_subj() -> security_current_getsecid_subj() 2021-11-22 17:52:47 -05:00
netlink net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
netrom netrom: fix api breakage in nr_setsockopt() 2022-01-07 14:11:05 +00:00
nfc Networking fixes for 5.17-rc1, including fixes from netfilter, bpf. 2022-01-20 10:57:05 +02:00
nsh
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-09 17:00:17 -08:00
packet net: fix information leakage in /proc/net/ptype 2022-01-20 10:12:53 +00:00
phonet phonet/pep: refuse to enable an unbound pipe 2021-12-20 11:49:51 +00:00
psample
qrtr bus: mhi: core: Add an API for auto queueing buffers for DL channel 2021-12-17 17:17:14 +01:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-12-16 16:13:19 -08:00
rfkill rfkill: allow to get the software rfkill state 2021-12-20 11:02:38 +01:00
rose net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
rxrpc rxrpc: Adjust retransmission backoff 2022-01-22 02:03:24 +00:00
sched sch_htb: Fail on unsupported parameters when offload is requested 2022-01-25 20:00:02 -08:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
smc net/smc: Transitional solution for clcsock race issue 2022-01-24 12:06:08 +00:00
strparser
sunrpc NFS Client Updates for Linux 5.17 2022-01-25 20:16:03 +02:00
switchdev net: switchdev: add net device refcount tracker 2021-12-07 20:44:58 -08:00
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
tls net/tls: Fix another skb memory leak when running kTLS traffic 2022-01-17 13:07:47 +00:00
unix af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress 2022-01-14 18:31:37 -08:00
vmw_vsock virtio,vdpa,qemu_fw_cfg: features, cleanups, fixes 2022-01-18 10:05:48 +02:00
wireless Kbuild updates for v5.17 2022-01-19 11:15:19 +02:00
x25 net: x25: drop harmless check of !more 2021-12-09 18:35:11 -08:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
xfrm xfrm: Don't accidentally set RTO_ONLINK in decode_session4() 2022-01-11 20:36:08 -08:00
compat.c
devres.c
Kconfig net: kunit: add a test for dev_addr_lists 2021-11-20 12:25:57 +00:00
Kconfig.debug net: add networking namespace refcount tracker 2021-12-10 06:38:26 -08:00
Makefile
socket.c net: fix SOF_TIMESTAMPING_BIND_PHC to work with multiple sockets 2022-01-06 12:18:08 +00:00
sysctl_net.c