linux/net at 8fbdf8b34edc412dc7d8e2e4957c8ea1625ff8a2 - linux - sys114

shinys000114/linux

mirror of https://github.com/hardkernel/linux.git synced 2026-04-02 03:03:00 +09:00

Files

History

Or Cohen ff6866d250 net/nfc: fix use-after-free llcp_sock_bind/connect

commit c61760e694 upstream.

Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
fixed a refcount leak bug in bind/connect but introduced a
use-after-free if the same local is assigned to 2 different sockets.

This can be triggered by the following simple program:
    int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
    addr.sa_family = AF_NFC;
    addr.nfc_protocol = NFC_PROTO_NFC_DEP;
    bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    close(sock1);
    close(sock2);

Fix this by assigning NULL to llcp_sock->local after calling
nfc_llcp_local_put.

This addresses CVE-2021-23134.

Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
Reported-by: Nadav Markus <nmarkus@paloaltonetworks.com>
Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2023-05-16 10:54:58 +09:00

..

6lowpan: Off by one handling ->nexthdr

2023-05-15 16:44:57 +09:00

net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid

2023-05-16 09:44:54 +09:00

net: Kill dev_rebuild_header

2015-03-02 16:43:41 -05:00

vlan: fix memory leak in vlan_dev_set_egress_priority

2023-05-15 16:32:51 +09:00

appletalk: Fix skb allocation size in loopback case

2023-05-16 10:49:55 +09:00

atm: fix a memory leak of vcc->user_back

2023-05-16 09:16:14 +09:00

AX.25: Prevent integer overflows in connect and sendmsg

2023-05-16 08:39:01 +09:00

batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field

2023-05-16 10:51:39 +09:00

bluetooth: eliminate the potential race condition when removing the HCI controller

2023-05-16 10:54:57 +09:00

net: bridge: vlan: fix error return code in __vlan_add()

2023-05-16 09:55:55 +09:00

caif: reduce stack size with KASAN

2023-05-15 12:38:05 +09:00

can: purge socket error queue on sock destruct

2023-05-15 13:55:21 +09:00

libceph: clear con->out_msg on Policy::stateful_server faults

2023-05-16 09:45:38 +09:00

neighbour: Disregard DEAD dst in neigh_update

2023-05-16 10:52:41 +09:00

net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands

2023-05-16 10:26:53 +09:00

ipv6: weaken the v4mapped source check

2023-05-16 10:49:39 +09:00

decnet: fix DN_IFREQ_SIZE

2023-05-15 16:07:59 +09:00

KEYS: DNS: fix parsing multiple options

2023-05-12 16:29:40 +09:00

net: dsa: tag_brcm: Fix skb->fwd_offload_mark location

2023-05-15 17:13:02 +09:00

net: add annotations on hh->hh_len lockless accesses

2023-05-15 16:31:00 +09:00

hsr: use netdev_err() instead of WARN_ONCE()

2023-05-16 10:54:56 +09:00

net: ieee802154: forbid monitor for add llsec seclevel

2023-05-16 10:52:53 +09:00

netfilter: x_tables: fix compat match/target pad out-of-bound write

2023-05-16 10:52:20 +09:00

net: sit: Unregister catch-all devices

2023-05-16 10:52:59 +09:00

ipx: call ipxitf_put() in ioctl error path

2017-05-25 15:44:41 +02:00

irda: Fix memory leak caused by repeated binds of irda socket

2023-05-12 17:27:16 +09:00

net/af_iucv: set correct sk_protocol for child sockets

2023-05-16 09:50:42 +09:00

kcm: switch order of device registration to fix a crash

2023-05-15 12:22:31 +09:00

af_key: relax availability checks for skb size calculation

2023-05-16 10:35:31 +09:00

l2tp: fix races with ipv4-mapped ipv6 addresses

2023-05-16 10:00:21 +09:00

net: ipv6: Remove l3mdev_get_saddr6

2016-09-10 23:12:53 -07:00

net: lapb: Copy the skb before sending a packet

2023-05-16 10:34:08 +09:00

llc: make sure applications use ARPHRD_ETHER

2023-05-16 08:30:04 +09:00

mac80211: choose first enabled channel for monitor

2023-05-16 10:50:25 +09:00

net: mac802154: Fix general protection fault

2023-05-16 10:52:03 +09:00

net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0

2023-05-16 10:46:16 +09:00

net/ncsi: Use real net-device for response handler

2023-05-16 10:24:55 +09:00

netfilter: x_tables: fix compat match/target pad out-of-bound write

2023-05-16 10:52:20 +09:00

netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist()

2023-05-16 09:48:55 +09:00

genetlink: remove genl_bind

2023-05-16 08:30:10 +09:00

net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node

2023-05-15 17:22:52 +09:00

net/nfc: fix use-after-free llcp_sock_bind/connect

2023-05-16 10:54:58 +09:00

openvswitch: fix stack OOB read while fragmenting IPv4 packets

2023-05-16 10:54:33 +09:00

net/packet: fix overflow in tpacket_rcv

2023-05-16 09:23:48 +09:00

phonet: fix building with clang

2023-05-15 12:05:35 +09:00

net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()

2023-05-16 10:49:33 +09:00

rds: Prevent kernel-infoleak in rds_notify_queue_get()

2023-05-16 08:44:05 +09:00

rfkill: Fix incorrect check to avoid NULL pointer dereference

2023-05-15 16:32:30 +09:00

rose: Fix Null pointer dereference in rose_send_frame()

2023-05-16 09:50:43 +09:00

rxrpc: Fix handling of an unsupported token type in rxrpc_read()

2023-05-16 10:26:56 +09:00

net: sched: sch_teql: fix null-pointer dereference

2023-05-16 10:51:40 +09:00

net/sctp: fix race condition in sctp_destroy_sock

2023-05-16 10:52:33 +09:00

strparser: Fix incorrect strp->need_bytes value.

2018-04-29 11:32:02 +02:00

rpc: fix NULL dereference on kmalloc failure

2023-05-16 10:49:41 +09:00

switchdev: Execute bridge ndos only for bridge ports

2016-10-19 10:58:04 -04:00

net:tipc: Fix a double free in tipc_sk_mcast_rcv

2023-05-16 10:51:44 +09:00

skbuff: fix a data race in skb_queue_len()

2023-05-16 09:15:28 +09:00

selinux: vsock: Set SID for socket returned by accept()

2023-05-16 10:49:38 +09:00

net:wimax: Fix doucble word "the the" in networking.xml

2015-08-09 22:43:52 -07:00

WireGuard 1.0.20210424

2023-05-16 10:53:26 +09:00

cfg80211: remove WARN_ON() in cfg80211_sme_connect

2023-05-16 10:51:57 +09:00

net/x25: prevent a couple of overflows

2023-05-16 09:50:49 +09:00

xfrm: Fix oops in xfrm_replay_advance_bmp

2023-05-16 10:33:29 +09:00

compat.c

net/compat: Add missing sock updates for SCM_RIGHTS

2023-05-16 08:47:54 +09:00

Kconfig

net/wireguard: add WireGuard 1.0.20200712

2023-05-15 17:31:52 +09:00

Makefile

net/wireguard: add WireGuard 1.0.20200712

2023-05-15 17:31:52 +09:00

socket.c

net: Set fput_needed iff FDPUT_FPUT is set

2023-05-16 08:47:15 +09:00

sysctl_net.c

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

2016-10-06 09:52:23 -07:00