diff --git a/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch b/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch new file mode 100644 index 0000000..f75ffc6 --- /dev/null +++ b/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch @@ -0,0 +1,83 @@ +From ba2ee4b6dc9874de0de26ad4b03c59b179f5dbe5 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 18 Nov 2022 16:45:01 -0500 +Subject: [PATCH 2/2] tipc: add an extra conn_get in tipc_conn_alloc +Git-commit: a7b42969d63f47320853a802efd879fbdc4e010e +Patch-mainline: v6.1-rc7 +References: bsc#1209288 CVE-2023-1382 + +One extra conn_get() is needed in tipc_conn_alloc(), as after +tipc_conn_alloc() is called, tipc_conn_close() may free this +con before deferencing it in tipc_topsrv_accept(): + + tipc_conn_alloc(); + newsk = newsock->sk; + <---- tipc_conn_close(); + write_lock_bh(&sk->sk_callback_lock); + newsk->sk_data_ready = tipc_conn_data_ready; + +Then an uaf issue can be triggered: + + BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] + Call Trace: + + dump_stack_lvl+0x33/0x46 + print_report+0x178/0x4b0 + kasan_report+0x8c/0x100 + kasan_check_range+0x179/0x1e0 + tipc_topsrv_accept+0x1e7/0x370 [tipc] + process_one_work+0x6a3/0x1030 + worker_thread+0x8a/0xdf0 + +This patch fixes it by holding it in tipc_conn_alloc(), then after +all accessing in tipc_topsrv_accept() releasing it. Note when does +this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns +0 or -1 only, we don't need to check for "> 0". + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/tipc/topsrv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 61e9828a76cd..1a3d9837ac6a 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -206,6 +206,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s + set_bit(CF_CONNECTED, &con->flags); + con->server = s; + con->sock = sock; ++ conn_get(con); + spin_unlock_bh(&s->idr_lock); + + return con; +@@ -474,6 +475,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + + /* Wake up receive process in case of 'SYN+' message */ + newsk->sk_data_ready(newsk); ++ conn_put(con); + } + } + +@@ -573,10 +575,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + + *conid = con->conid; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); +- if (rc >= 0) +- return true; ++ if (rc) ++ conn_put(con); ++ + conn_put(con); +- return false; ++ return !rc; + } + + void tipc_topsrv_kern_unsubscr(struct net *net, int conid) +-- +2.16.4 + diff --git a/series.conf b/series.conf index 257324f..6e4acfc 100644 --- a/series.conf +++ b/series.conf @@ -23050,6 +23050,7 @@ patches.suse/x86-cpu-Restore-AMD-s-DE_CFG-MSR-after-resume.patch patches.suse/l2tp-Serialize-access-to-sk_user_data-with-sk_callba.patch patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch + patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch