Headline
CVE-2022-1516: git/netdev/net.git - Netdev Group's networking tree
A NULL pointer dereference flaw was found in the Linux kernel’s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.
author
Duoming Zhou [email protected]
2022-03-26 18:43:46 +0800
committer
David S. Miller [email protected]
2022-03-26 11:48:16 -0700
commit
7781607938c8371d4c2b243527430241c62e39c2 (patch)
tree
6dcb49a0273aa15819085ecd0e811821798e9a1f
parent
1521db37f0d42334a88e8ff28198a27d1ed5cd7b (diff)
download
net-7781607938c8.tar.gz
net/x25: Fix null-ptr-deref caused by x25_disconnect
When the link layer is terminating, x25->neighbour will be set to NULL in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is shown below. (Thread 1) | (Thread 2) x25_link_terminated() | x25_recvmsg() x25_kill_by_neigh() | … x25_disconnect() | lock_sock(sk) … | … x25->neighbour = NULL //(1) | … | x25->neighbour->extended //(2) The code sets NULL to x25->neighbour in position (1) and dereferences x25->neighbour in position (2), which could cause null-ptr-deref bug. This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the sock held by lock_sock() is not NULL, because it is extracted from x25_list and uses x25_list_lock to synchronize. Fixes: 4becb7ee5b3d (“net/x25: Fix x25_neigh refcnt leak when x25 disconnect”) Signed-off-by: Duoming Zhou [email protected] Reviewed-by: Lin Ma [email protected] Signed-off-by: David S. Miller [email protected]
-rw-r–r--
net/x25/af_x25.c
11
1 files changed, 8 insertions, 3 deletions
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 3583354a7d7fe…3a171828638b1 100644
— a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1765,10 +1765,15 @@ void x25_kill_by_neigh(struct x25_neigh *nb)
write_lock_bh(&x25_list_lock);
- sk_for_each(s, &x25_list)
- if (x25_sk(s)->neighbour == nb)
+ sk_for_each(s, &x25_list) {
+ if (x25_sk(s)->neighbour == nb) {
+ write_unlock_bh(&x25_list_lock);
+ lock_sock(s);
x25_disconnect(s, ENETUNREACH, 0, 0);
-
+ release_sock(s);
+ write_lock_bh(&x25_list_lock);
+ }
+ }
write_unlock_bh(&x25_list_lock);
/* Remove any related forwards */
Related news
There is a command injection vulnerability at the /goform/setsambacfg interface of Tenda AC15 US_AC15V1.0BR_V15.03.05.20_multi_TDE01.bin device web, which can also cooperate with CVE-2021-44971 to cause unconditional arbitrary command execution