Or Cohen afb6213580 net/nfc: fix use-after-free llcp_sock_bind/connect ...

stable inclusion
from linux-4.19.191
commit 48fba458fe54cc2a980a05c13e6c19b8b2cfb610
category: bugfix
bugzilla: NA
CVE: CVE-2021-23134

--------------------------------

commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream.

Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
fixed a refcount leak bug in bind/connect but introduced a
use-after-free if the same local is assigned to 2 different sockets.

This can be triggered by the following simple program:
    int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
    addr.sa_family = AF_NFC;
    addr.nfc_protocol = NFC_PROTO_NFC_DEP;
    bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    close(sock1);
    close(sock2);

Fix this by assigning NULL to llcp_sock->local after calling
nfc_llcp_local_put.

This addresses CVE-2021-23134.

Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
Reported-by: Nadav Markus <nmarkus@paloaltonetworks.com>
Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Yu Changchun <yuchangchun1@huawei.com>

2021-05-31 17:14:59 +08:00

..

6lowpan

6lowpan: Off by one handling ->nexthdr

2020-01-27 14:50:41 +01:00

9p

net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid

2020-11-05 11:08:44 +01:00

802

…

8021q

vlan: vlan_changelink() should propagate errors

2020-01-12 12:17:28 +01:00

appletalk

appletalk: Set error code if register_snap_client failed

2019-12-13 08:52:59 +01:00

atm

atm: fix a memory leak of vcc->user_back

2020-10-01 13:14:43 +02:00

ax25

AX.25: Prevent integer overflows in connect and sendmsg

2020-07-31 18:37:48 +02:00

batman-adv

batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh

2020-10-01 13:14:52 +02:00

bluetooth

Bluetooth: verify AMP hci_chan before amp_destroy

2021-05-31 17:14:59 +08:00

bpf

bpf/test_run: support cgroup local storage

2018-08-03 00:47:32 +02:00

bpfilter

signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig

2020-01-27 14:50:51 +01:00

bridge

net: bridge: enfore alignment for ethernet address

2020-06-30 23:17:03 -04:00

caif

net: use skb_queue_empty_lockless() in poll() handlers

2019-11-10 11:27:48 +01:00

can

can: gw: Fix error path of cgw_module_init

2019-08-29 08:28:30 +02:00

ceph

libceph: clear con->out_msg on Policy::stateful_server faults

2020-11-05 11:08:53 +01:00

core

net: core: enable SO_BINDTODEVICE for non-root users

2021-05-31 17:14:49 +08:00

dcb

net: DCB: Validate DCB_ATTR_DCB_BUFFER argument

2020-09-26 18:01:29 +02:00

dccp

net: ipv6: add net argument to ip6_dst_lookup_flow

2020-04-29 16:31:16 +02:00

decnet

net: add bool confirm_neigh parameter for dst_ops.update_pmtu

2020-01-04 19:13:37 +01:00

dns_resolver

KEYS: Don't write out to userspace while holding key semaphore

2020-04-23 10:30:24 +02:00

dsa

dsa: Allow forwarding of redirected IGMP traffic

2020-09-23 12:10:56 +02:00

ethernet

net: add annotations on hh->hh_len lockless accesses

2020-01-09 10:19:09 +01:00

hsr

hsr: check protocol version in hsr_newlink()

2020-04-21 09:03:03 +02:00

ieee802154

nl802154: add missing attribute validation for dev_type

2020-03-18 07:14:15 +01:00

ife

…

ipv4

cipso,calipso: resolve a number of problems with the DOI refcounts

2021-05-31 17:14:59 +08:00

ipv6

cipso,calipso: resolve a number of problems with the DOI refcounts

2021-05-31 17:14:59 +08:00

iucv

net/af_iucv: always register net_device notifier

2020-01-27 14:50:56 +01:00

kcm

kcm: switch order of device registration to fix a crash

2019-04-17 08:38:40 +02:00

key

af_key: pfkey_dump needs parameter validation

2020-09-26 18:01:28 +02:00

l2tp

l2tp: remove skb_dst_set() from l2tp_xmit_skb()

2020-07-22 09:31:59 +02:00

l3mdev

…

lapb

lapb: fixed leak of control-blocks.

2019-06-22 08:15:13 +02:00

llc

net: silence data-races on sk_backlog.tail

2020-10-01 13:14:26 +02:00

mac80211

mac80211: handle lack of sband->bitrates in rates

2020-10-30 10:38:28 +01:00

mac802154

net: mac802154: Fix general protection fault

2021-05-31 17:14:59 +08:00

mpls

net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup

2020-04-29 16:31:17 +02:00

ncsi

net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler

2018-08-22 21:39:08 -07:00

netfilter

netfilter: x_tables: Use correct memory barriers.

2021-05-31 17:14:55 +08:00

netlabel

cipso,calipso: resolve a number of problems with the DOI refcounts

2021-05-31 17:14:59 +08:00

netlink

genetlink: remove genl_bind

2020-07-22 09:31:58 +02:00

netrom

net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node

2020-04-29 16:31:21 +02:00

nfc

net/nfc: fix use-after-free llcp_sock_bind/connect

2021-05-31 17:14:59 +08:00

nsh

nsh: set mac len based on inner packet

2018-07-12 16:55:29 -07:00

openvswitch

openvswitch: handle DNAT tuple collision

2020-10-14 10:31:24 +02:00

packet

net/packet: make tp_drops atomic

2020-11-14 16:00:50 +08:00

phonet

net: use skb_queue_empty_lockless() in poll() handlers

2019-11-10 11:27:48 +01:00

psample

net: psample: fix skb_over_panic

2019-12-05 09:21:30 +01:00

qrtr

net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()

2021-05-31 17:14:55 +08:00

rds

rds: Prevent kernel-infoleak in rds_notify_queue_get()

2020-08-05 10:06:01 +02:00

rfkill

rfkill: Fix incorrect check to avoid NULL pointer dereference

2020-01-12 12:17:17 +01:00

rose

net/rose: fix unbound loop in rose_loopback_timer()

2019-05-02 09:59:00 +02:00

rxrpc

rxrpc: Fix server keyring leak

2020-10-14 10:31:26 +02:00

sched

netem: fix zero division in tabledist

2020-11-05 11:08:33 +01:00

sctp

net/sctp: fix race condition in sctp_destroy_sock

2021-05-31 17:14:52 +08:00

smc

net/smc: fix valid DMBE buffer sizes

2020-10-29 09:54:55 +01:00

strparser

net: strparser: partially revert "strparser: Call skb_unclone conditionally"

2019-05-16 19:41:27 +02:00

sunrpc

sunrpc: check that domain table is empty at module unload.

2020-11-20 14:52:40 +08:00

switchdev

…

tipc

tipc: fix memory leak caused by tipc_buf_append()

2020-11-05 11:08:33 +01:00

tls

net/tls: sendfile fails with ktls offload

2020-10-29 09:54:56 +01:00

unix

skbuff: fix a data race in skb_queue_len()

2020-10-01 13:14:32 +02:00

vmw_vsock

net: virtio_vsock: Enhance connection semantics

2020-10-07 08:00:05 +02:00

wimax

wimax: remove blank lines at EOF

2018-07-24 14:10:42 -07:00

wireless

nl80211: fix non-split wiphy information

2020-10-29 09:55:13 +01:00

x25

net/x25: prevent a couple of overflows

2021-05-31 17:14:50 +08:00

xdp

xdp: Fix xsk_generic_xmit errno

2020-06-25 15:33:05 +02:00

xfrm

xfrm: Use correct address family in xfrm_state_find

2020-10-14 10:31:25 +02:00

compat.c

net/compat: Add missing sock updates for SCM_RIGHTS

2020-08-21 11:05:32 +02:00

Kconfig

net: remove blank lines at end of file

2018-07-24 14:10:43 -07:00

Makefile

bpfilter: check compiler capability in Kconfig

2018-06-28 13:36:39 +09:00

socket.c

net: Set fput_needed iff FDPUT_FPUT is set

2020-08-19 08:15:03 +02:00

sysctl_net.c

…