diff options
author | Arnaldo Carvalho de Melo <acme@redhat.com> | 2016-03-14 09:56:35 -0300 |
---|---|---|
committer | Simon Shields <keepcalm444@gmail.com> | 2016-10-19 00:33:04 +1100 |
commit | 8849894bfafa295d6a1acab288b6deec4dc26ca8 (patch) | |
tree | 0c54d1362038c7b7e0a74b526d5cd8bd13610806 /kernel | |
parent | aadaf237377c1dbce968982bc55c148fc97aef90 (diff) | |
download | kernel_samsung_smdk4412-8849894bfafa295d6a1acab288b6deec4dc26ca8.tar.gz kernel_samsung_smdk4412-8849894bfafa295d6a1acab288b6deec4dc26ca8.tar.bz2 kernel_samsung_smdk4412-8849894bfafa295d6a1acab288b6deec4dc26ca8.zip |
net: Fix use after free in the recvmmsg exit path
The syzkaller fuzzer hit the following use-after-free:
Call Trace:
[<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
[<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
[< inline >] SYSC_recvmmsg net/socket.c:2281
[<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
[<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.
Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ie3b6ee89ad3e8cd3a0fe8f50f74aaa4834d0b4ca
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/events/core.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index acdc087f29e..b30d2042d52 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -6477,6 +6477,9 @@ SYSCALL_DEFINE5(perf_event_open, if (err) return err; + if (attr.constraint_duplicate || attr.__reserved_1) + return -EINVAL; + if (!attr.exclude_kernel) { if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; |