On 26.09.2021 18:47:57, Ziyang Xuan wrote:
> It will trigger UAF for rx_kref of j1939_priv as following.
>
> cpu0 cpu1
> j1939_sk_bind(socket0, ndev0, ...)
> j1939_netdev_start
> j1939_sk_bind(socket1, ndev0, ...)
> j1939_netdev_start
> j1939_priv_set
> j1939_priv_get_by_ndev_locked
> j1939_jsk_add
> .....
> j1939_netdev_stop
> kref_put_lock(&priv->rx_kref, ...)
> kref_get(&priv->rx_kref, ...)
> REFCOUNT_WARN("addition on 0;...")
>
> ====================================================
> refcount_t: addition on 0; use-after-free.
> WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
> RIP: 0010:refcount_warn_saturate+0x169/0x1e0
> Call Trace:
> j1939_netdev_start+0x68b/0x920
> j1939_sk_bind+0x426/0xeb0
> ? security_socket_bind+0x83/0xb0
>
> The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
> protect.
>
> Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
> Reported-by: syzbot+85d9878b19c94f9019ad@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Ziyang Xuan <william.xuanziyang@xxxxxxxxxx>
Added to linux-can/testing, added stable on Cc.
Thanks,
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung West/Dortmund | Phone: +49-231-2826-924 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: PGP signature
