Commit 8c7188b2 authored by Quentin Casasnovas's avatar Quentin Casasnovas Committed by David S. Miller
Browse files

RDS: fix race condition when sending a message on unbound socket 



Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket.  The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket.  This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().

Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.

I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.

Complete earlier incomplete fix to CVE-2015-6937:

  74e98eb0 ("RDS: verify the underlying transport exists before creating a connection")

Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org

Reviewed-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: default avatarSasha Levin <sasha.levin@oracle.com>
Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: default avatarQuentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 20f79566

net/rds/connection.c

+0 −6
Original line number Diff line number Diff line
@@ -186,12 +186,6 @@ static struct rds_connection *__rds_conn_create(struct net *net, 
		}

	}



	if (trans == NULL) {

		kmem_cache_free(rds_conn_slab, conn);

		conn = ERR_PTR(-ENODEV);

		goto out;

	}



	conn->c_trans = trans;



	ret = trans->conn_alloc(conn, gfp);

net/rds/send.c

+3 −1
Original line number Diff line number Diff line
@@ -1013,11 +1013,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) 
		release_sock(sk);

	}



	/* racing with another thread binding seems ok here */

	lock_sock(sk);

	if (daddr == 0 || rs->rs_bound_addr == 0) {

		release_sock(sk);

		ret = -ENOTCONN; /* XXX not a great errno */

		goto out;

	}

	release_sock(sk);



	if (payload_len > rds_sk_sndbuf(rs)) {

		ret = -EMSGSIZE;

CRA Git | Maintained and supported by SUSTech CRA and CCSE