Patch "nfc: fix refcount leak in llcp_sock_bind()" has been added to the 5.11-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 10 Apr 2021 15:25:09 +0200

This is a note to let you know that I've just added the patch titled

    nfc: fix refcount leak in llcp_sock_bind()

to the 5.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfc-fix-refcount-leak-in-llcp_sock_bind.patch
and it can be found in the queue-5.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d Mon Sep 17 00:00:00 2001
From: Xiaoming Ni <nixiaoming@xxxxxxxxxx>
Date: Thu, 25 Mar 2021 11:51:10 +0800
Subject: nfc: fix refcount leak in llcp_sock_bind()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Xiaoming Ni <nixiaoming@xxxxxxxxxx>

commit c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d upstream.

nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@xxxxxxxxxxx>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@xxxxxxxxxxxxxxx> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/nfc/llcp_sock.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket
 					  llcp_sock->service_name_len,
 					  GFP_KERNEL);
 	if (!llcp_sock->service_name) {
+		nfc_llcp_local_put(llcp_sock->local);
 		ret = -ENOMEM;
 		goto put_dev;
 	}
 	llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
+		nfc_llcp_local_put(llcp_sock->local);
 		kfree(llcp_sock->service_name);
 		llcp_sock->service_name = NULL;
 		ret = -EADDRINUSE;


Patches currently in stable-queue which might be from nixiaoming@xxxxxxxxxx are

queue-5.11/nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch
queue-5.11/nfc-fix-memory-leak-in-llcp_sock_connect.patch
queue-5.11/nfc-fix-refcount-leak-in-llcp_sock_bind.patch
queue-5.11/nfc-fix-refcount-leak-in-llcp_sock_connect.patch






