• David Howells's avatar
    rxrpc: Fix call crypto state cleanup · 91fcfbe8
    David Howells authored
    Fix the cleanup of the crypto state on a call after the call has been
    disconnected.  As the call has been disconnected, its connection ref has
    been discarded and so we can't go through that to get to the security ops
    table.
    
    Fix this by caching the security ops pointer in the rxrpc_call struct and
    using that when freeing the call security state.  Also use this in other
    places we're dealing with call-specific security.
    
    The symptoms look like:
    
        BUG: KASAN: use-after-free in rxrpc_release_call+0xb2d/0xb60
        net/rxrpc/call_object.c:481
        Read of size 8 at addr ffff888062ffeb50 by task syz-executor.5/4764
    
    Fixes: 1db88c53 ("rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto")
    Reported-by: syzbot+eed305768ece6682bb7f@syzkaller.appspotmail.com
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    91fcfbe8
sendmsg.c 21.5 KB