• David Howells's avatar
    rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record · 9ebeddef
    David Howells authored
    The rxrpc_peer record needs to hold a reference on the rxrpc_local record
    it points as the peer is used as a base to access information in the
    rxrpc_local record.
    
    This can cause problems in __rxrpc_put_peer(), where we need the network
    namespace pointer, and in rxrpc_send_keepalive(), where we need to access
    the UDP socket, leading to symptoms like:
    
        BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
        [inline]
        BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
        net/rxrpc/peer_object.c:435
        Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
    
    Fix this by taking a ref on the local record for the peer record.
    
    Fixes: ace45bec ("rxrpc: Fix firewall route keepalive")
    Fixes: 2baec2c3 ("rxrpc: Support network namespacing")
    Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    9ebeddef
peer_object.c 12.2 KB