Skip to content

L
linux
Switch branch/tag
Find file BlameHistoryPermalink
  • Or Cohen's avatar
    net/nfc: fix use-after-free llcp_sock_bind/connect · c61760e6
    Or Cohen authored 
    Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
and c33b1cc6 ("nfc: fix refcount leak in llcp_sock_bind()")
fixed a refcount leak bug in bind/connect but introduced a
use-after-free if the same local is assigned to 2 different sockets.

This can be triggered by the following simple program:
    int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
    addr.sa_family = AF_NFC;
    addr.nfc_protocol = NFC_PROTO_NFC_DEP;
    bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    close(sock1);
    close(sock2);

Fix this by assigning NULL to llcp_sock->local after calling
nfc_llcp_local_put.

This addresses CVE-2021-23134.
Reported-by: default avatarOr Cohen <orcohen@paloaltonetworks.com>
Reported-by: default avatarNadav Markus <nmarkus@paloaltonetworks.com>
Fixes: c33b1cc6 ("nfc: fix refcount leak in llcp_sock_bind()")
Signed-off-by: default avatarOr Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    c61760e6
llcp_sock.c 22.4 KB
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7