Commit 676d2369 authored by David S. Miller's avatar David S. Miller
Browse files

net: Fix use after free by removing length arg from sk_data_ready callbacks. 



Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ad20d5f6

drivers/scsi/iscsi_tcp.c

+1 −1
Original line number Diff line number Diff line
@@ -125,7 +125,7 @@ static inline int iscsi_sw_sk_state_check(struct sock *sk) 
	return 0;

}



static void iscsi_sw_tcp_data_ready(struct sock *sk, int flag)

static void iscsi_sw_tcp_data_ready(struct sock *sk)

{

	struct iscsi_conn *conn;

	struct iscsi_tcp_conn *tcp_conn;

drivers/scsi/iscsi_tcp.h

+1 −1
Original line number Diff line number Diff line
@@ -40,7 +40,7 @@ struct iscsi_sw_tcp_conn { 


	struct iscsi_sw_tcp_send out;

	/* old values for socket callbacks */

	void			(*old_data_ready)(struct sock *, int);

	void			(*old_data_ready)(struct sock *);

	void			(*old_state_change)(struct sock *);

	void			(*old_write_space)(struct sock *);

drivers/staging/lustre/lnet/klnds/socklnd/socklnd_lib-linux.c

+2 −2
Original line number Diff line number Diff line
@@ -655,7 +655,7 @@ extern void ksocknal_write_callback (ksock_conn_t *conn); 
 * socket call back in Linux

 */

static void

ksocknal_data_ready (struct sock *sk, int n)

ksocknal_data_ready (struct sock *sk)

{

	ksock_conn_t  *conn;
@@ -666,7 +666,7 @@ ksocknal_data_ready (struct sock *sk, int n) 
	conn = sk->sk_user_data;

	if (conn == NULL) {	     /* raced with ksocknal_terminate_conn */

		LASSERT (sk->sk_data_ready != &ksocknal_data_ready);

		sk->sk_data_ready (sk, n);

		sk->sk_data_ready (sk);

	} else

		ksocknal_read_callback(conn);

drivers/target/iscsi/iscsi_target_core.h

+1 −1
Original line number Diff line number Diff line
@@ -556,7 +556,7 @@ struct iscsi_conn { 
	struct completion	rx_half_close_comp;

	/* socket used by this connection */

	struct socket		*sock;

	void			(*orig_data_ready)(struct sock *, int);

	void			(*orig_data_ready)(struct sock *);

	void			(*orig_state_change)(struct sock *);

#define LOGIN_FLAGS_READ_ACTIVE		1

#define LOGIN_FLAGS_CLOSED		2

drivers/target/iscsi/iscsi_target_nego.c

+1 −1
Original line number Diff line number Diff line
@@ -375,7 +375,7 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log 
	return 0;

}



static void iscsi_target_sk_data_ready(struct sock *sk, int count)

static void iscsi_target_sk_data_ready(struct sock *sk)

{

	struct iscsi_conn *conn = sk->sk_user_data;

	bool rc;

CRA Git | Maintained and supported by SUSTech CRA and CCSE