On 04/18/2018 04:56 AM, Stephen Hemminger wrote:
> This may already be fixed.
>
> Begin forwarded message:
>
> Date: Wed, 18 Apr 2018 01:52:59 +0000
> From: [email protected]
> To: [email protected]
> Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing
> null pointer vulnerability.
>
>
> https://bugzilla.kernel.org/show_bug.cgi?id=199429
>
> Bug ID: 199429
> Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null
> pointer vulnerability.
> Product: Networking
> Version: 2.5
> Kernel Version: 4.16.0-rc7
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> Assignee: [email protected]
> Reporter: [email protected]
> Regression: No
>
> Created attachment 275431
> --> https://bugzilla.kernel.org/attachment.cgi?id=275431&action=edit
> POC
>
> Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug.
>
> NET: Registered protocol family 43
Thanks for reporting. This fix is needed here:
net/smc/af_smc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1314,7 +1314,7 @@ static int smc_shutdown(struct socket *s
(sk->sk_state != SMC_APPCLOSEWAIT2) &&
(sk->sk_state != SMC_APPFINCLOSEWAIT))
goto out;
- if (smc->use_fallback) {
+ if (smc->use_fallback || sk->sk_state == SMC_LISTEN) {
rc = kernel_sock_shutdown(smc->clcsock, how);
sk->sk_shutdown = smc->clcsock->sk->sk_shutdown;
if (sk->sk_shutdown == SHUTDOWN_MASK)
Kind regards, Ursula
