On 12/3/19 12:21 PM, Oliver Hartkopp wrote: > > > On 03/12/2019 11.47, Marc Kleine-Budde wrote: >> From: Jouni Hogander <jouni.hogander@xxxxxxxxxx> >> >> Slcan_open doesn't clean-up device which registration failed from the >> slcan_devs device list. On next open this list is iterated and freed >> device is accessed. Fix this by calling slc_free_netdev in error path. >> >> Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was >> identified in slip_open by syzboz. Same bug is in slcan.c. Here is the >> trace from the Syzbot slip report: >> >> __dump_stack lib/dump_stack.c:77 [inline] >> dump_stack+0x197/0x210 lib/dump_stack.c:118 >> print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 >> __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 >> kasan_report+0x12/0x20 mm/kasan/common.c:634 >> __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 >> sl_sync drivers/net/slip/slip.c:725 [inline] >> slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801 >> tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469 >> tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596 >> tiocsetd drivers/tty/tty_io.c:2334 [inline] >> tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594 >> vfs_ioctl fs/ioctl.c:46 [inline] >> file_ioctl fs/ioctl.c:509 [inline] >> do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 >> ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 >> __do_sys_ioctl fs/ioctl.c:720 [inline] >> __se_sys_ioctl fs/ioctl.c:718 [inline] >> __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 >> do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path") >> Cc: Wolfgang Grandegger <wg@xxxxxxxxxxxxxx> >> Cc: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> >> Cc: David Miller <davem@xxxxxxxxxxxxx> >> Cc: Oliver Hartkopp <socketcan@xxxxxxxxxxxx> >> Cc: Lukas Bulwahn <lukas.bulwahn@xxxxxxxxx> >> Signed-off-by: Jouni Hogander <jouni.hogander@xxxxxxxxxx> >> Cc: linux-stable <stable@xxxxxxxxxxxxxxx> # >= v5.4 > > I think this problem existed from the initial commit in 2010 and is not > restricted to >= v5.4 > > Together with commit commit ed50e1600b4483c049 ("slcan: Fix memory leak > in error path") from Jouni Hogander. Yes, both patches shoud be backported: ed50e1600b44 slcan: Fix memory leak in error path 9ebd796e2400 can: slcan: Fix use-after-free Read in slcan_open Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: OpenPGP digital signature