Commit 228fa9b1 authored by Jakub Kicinski's avatar Jakub Kicinski

Merge branch 'af_unix-correct-manage_oob-when-oob-follows-a-consumed-oob'

Kuniyuki Iwashima says:

====================
af_unix: Correct manage_oob() when OOB follows a consumed OOB.

Recently syzkaller reported UAF of OOB skb.

The bug was introduced by commit 93c99f21 ("af_unix: Don't stop
recv(MSG_DONTWAIT) if consumed OOB skb is at the head.") but uncovered
by another recent commit 8594d9b8 ("af_unix: Don't call skb_get()
for OOB skb.").

[0]: https://lore.kernel.org/netdev/00000000000083b05a06214c9ddc@google.com/
====================

Link: https://patch.msgid.link/20240905193240.17565-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents e4225a8c 5aa57d9f
...@@ -2654,51 +2654,52 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state) ...@@ -2654,51 +2654,52 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
int flags, int copied) int flags, int copied)
{ {
struct sk_buff *read_skb = NULL, *unread_skb = NULL;
struct unix_sock *u = unix_sk(sk); struct unix_sock *u = unix_sk(sk);
if (!unix_skb_len(skb)) { if (likely(unix_skb_len(skb) && skb != READ_ONCE(u->oob_skb)))
struct sk_buff *unlinked_skb = NULL; return skb;
spin_lock(&sk->sk_receive_queue.lock); spin_lock(&sk->sk_receive_queue.lock);
if (!unix_skb_len(skb)) {
if (copied && (!u->oob_skb || skb == u->oob_skb)) { if (copied && (!u->oob_skb || skb == u->oob_skb)) {
skb = NULL; skb = NULL;
} else if (flags & MSG_PEEK) { } else if (flags & MSG_PEEK) {
skb = skb_peek_next(skb, &sk->sk_receive_queue); skb = skb_peek_next(skb, &sk->sk_receive_queue);
} else { } else {
unlinked_skb = skb; read_skb = skb;
skb = skb_peek_next(skb, &sk->sk_receive_queue); skb = skb_peek_next(skb, &sk->sk_receive_queue);
__skb_unlink(unlinked_skb, &sk->sk_receive_queue); __skb_unlink(read_skb, &sk->sk_receive_queue);
} }
spin_unlock(&sk->sk_receive_queue.lock); if (!skb)
goto unlock;
}
consume_skb(unlinked_skb); if (skb != u->oob_skb)
} else { goto unlock;
struct sk_buff *unlinked_skb = NULL;
spin_lock(&sk->sk_receive_queue.lock); if (copied) {
skb = NULL;
} else if (!(flags & MSG_PEEK)) {
WRITE_ONCE(u->oob_skb, NULL);
if (skb == u->oob_skb) { if (!sock_flag(sk, SOCK_URGINLINE)) {
if (copied) { __skb_unlink(skb, &sk->sk_receive_queue);
skb = NULL; unread_skb = skb;
} else if (!(flags & MSG_PEEK)) { skb = skb_peek(&sk->sk_receive_queue);
WRITE_ONCE(u->oob_skb, NULL);
if (!sock_flag(sk, SOCK_URGINLINE)) {
__skb_unlink(skb, &sk->sk_receive_queue);
unlinked_skb = skb;
skb = skb_peek(&sk->sk_receive_queue);
}
} else if (!sock_flag(sk, SOCK_URGINLINE)) {
skb = skb_peek_next(skb, &sk->sk_receive_queue);
}
} }
} else if (!sock_flag(sk, SOCK_URGINLINE)) {
skb = skb_peek_next(skb, &sk->sk_receive_queue);
}
spin_unlock(&sk->sk_receive_queue.lock); unlock:
spin_unlock(&sk->sk_receive_queue.lock);
consume_skb(read_skb);
kfree_skb(unread_skb);
kfree_skb(unlinked_skb);
}
return skb; return skb;
} }
#endif #endif
...@@ -3175,9 +3176,13 @@ static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) ...@@ -3175,9 +3176,13 @@ static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
skb = skb_peek(&sk->sk_receive_queue); skb = skb_peek(&sk->sk_receive_queue);
if (skb) { if (skb) {
struct sk_buff *oob_skb = READ_ONCE(u->oob_skb); struct sk_buff *oob_skb = READ_ONCE(u->oob_skb);
struct sk_buff *next_skb;
next_skb = skb_peek_next(skb, &sk->sk_receive_queue);
if (skb == oob_skb || if (skb == oob_skb ||
(!oob_skb && !unix_skb_len(skb))) (!unix_skb_len(skb) &&
(!oob_skb || next_skb == oob_skb)))
answ = 1; answ = 1;
} }
......
...@@ -525,6 +525,29 @@ TEST_F(msg_oob, ex_oob_drop_2) ...@@ -525,6 +525,29 @@ TEST_F(msg_oob, ex_oob_drop_2)
} }
} }
TEST_F(msg_oob, ex_oob_oob)
{
sendpair("x", 1, MSG_OOB);
epollpair(true);
siocatmarkpair(true);
recvpair("x", 1, 1, MSG_OOB);
epollpair(false);
siocatmarkpair(true);
sendpair("y", 1, MSG_OOB);
epollpair(true);
siocatmarkpair(true);
recvpair("", -EAGAIN, 1, 0);
epollpair(false);
siocatmarkpair(false);
recvpair("", -EINVAL, 1, MSG_OOB);
epollpair(false);
siocatmarkpair(false);
}
TEST_F(msg_oob, ex_oob_ahead_break) TEST_F(msg_oob, ex_oob_ahead_break)
{ {
sendpair("hello", 5, MSG_OOB); sendpair("hello", 5, MSG_OOB);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment