On Wed, 18 Apr 2018 13:46:20 +0200 Ursula Braun <[email protected]> wrote:
> On 04/18/2018 04:56 AM, Stephen Hemminger wrote: > > This may already be fixed. > > > > Begin forwarded message: > > > > Date: Wed, 18 Apr 2018 01:52:59 +0000 > > From: [email protected] > > To: [email protected] > > Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing > > null pointer vulnerability. > > > > > > https://bugzilla.kernel.org/show_bug.cgi?id=199429 > > > > Bug ID: 199429 > > Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null > > pointer vulnerability. > > Product: Networking > > Version: 2.5 > > Kernel Version: 4.16.0-rc7 > > Hardware: All > > OS: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: Other > > Assignee: [email protected] > > Reporter: [email protected] > > Regression: No > > > > Created attachment 275431 > > --> https://bugzilla.kernel.org/attachment.cgi?id=275431&action=edit > > POC > > > > Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug. > > > > NET: Registered protocol family 43 > > Thanks for reporting. This fix is needed here: > > net/smc/af_smc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- a/net/smc/af_smc.c > +++ b/net/smc/af_smc.c > @@ -1314,7 +1314,7 @@ static int smc_shutdown(struct socket *s > (sk->sk_state != SMC_APPCLOSEWAIT2) && > (sk->sk_state != SMC_APPFINCLOSEWAIT)) > goto out; > - if (smc->use_fallback) { > + if (smc->use_fallback || sk->sk_state == SMC_LISTEN) { > rc = kernel_sock_shutdown(smc->clcsock, how); > sk->sk_shutdown = smc->clcsock->sk->sk_shutdown; > if (sk->sk_shutdown == SHUTDOWN_MASK) > > Kind regards, Ursula > Please submit patch to linux net with proper signed-off-by and Fixes tags. The maintainer (davem) will take care of getting this into upstream and stable.
