diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3543.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3543.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3543.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3543.patch new file mode 100644 index 000000000..9d83b59af --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3543.patch @@ -0,0 +1,97 @@ +From 2f415ad33bc1a729fb1050141921b5a9ec4e062c Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima <kuniyu@amazon.com> +Date: Thu, 29 Sep 2022 08:52:04 -0700 +Subject: [PATCH] af_unix: Fix memory leaks of the whole sk due to OOB skb. + +[ Upstream commit 7a62ed61367b8fd01bae1e18e30602c25060d824 ] + +syzbot reported a sequence of memory leaks, and one of them indicated we +failed to free a whole sk: + + unreferenced object 0xffff8880126e0000 (size 1088): + comm "syz-executor419", pid 326, jiffies 4294773607 (age 12.609s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 7d 00 00 00 00 00 00 00 ........}....... + 01 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<000000006fefe750>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:1970 + [<0000000074006db5>] sk_alloc+0x3b/0x800 net/core/sock.c:2029 + [<00000000728cd434>] unix_create1+0xaf/0x920 net/unix/af_unix.c:928 + [<00000000a279a139>] unix_create+0x113/0x1d0 net/unix/af_unix.c:997 + [<0000000068259812>] __sock_create+0x2ab/0x550 net/socket.c:1516 + [<00000000da1521e1>] sock_create net/socket.c:1566 [inline] + [<00000000da1521e1>] __sys_socketpair+0x1a8/0x550 net/socket.c:1698 + [<000000007ab259e1>] __do_sys_socketpair net/socket.c:1751 [inline] + [<000000007ab259e1>] __se_sys_socketpair net/socket.c:1748 [inline] + [<000000007ab259e1>] __x64_sys_socketpair+0x97/0x100 net/socket.c:1748 + [<000000007dedddc1>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<000000007dedddc1>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + [<000000009456679f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +We can reproduce this issue by creating two AF_UNIX SOCK_STREAM sockets, +send()ing an OOB skb to each other, and close()ing them without consuming +the OOB skbs. + + int skpair[2]; + + socketpair(AF_UNIX, SOCK_STREAM, 0, skpair); + + send(skpair[0], "x", 1, MSG_OOB); + send(skpair[1], "x", 1, MSG_OOB); + + close(skpair[0]); + close(skpair[1]); + +Currently, we free an OOB skb in unix_sock_destructor() which is called via +__sk_free(), but it's too late because the receiver's unix_sk(sk)->oob_skb +is accounted against the sender's sk->sk_wmem_alloc and __sk_free() is +called only when sk->sk_wmem_alloc is 0. + +In the repro sequences, we do not consume the OOB skb, so both two sk's +sock_put() never reach __sk_free() due to the positive sk->sk_wmem_alloc. +Then, no one can consume the OOB skb nor call __sk_free(), and we finally +leak the two whole sk. + +Thus, we must free the unconsumed OOB skb earlier when close()ing the +socket. + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/unix/af_unix.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index bf338b782fc4c4..d686804119c991 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -569,12 +569,6 @@ static void unix_sock_destructor(struct sock *sk) + + skb_queue_purge(&sk->sk_receive_queue); + +-#if IS_ENABLED(CONFIG_AF_UNIX_OOB) +- if (u->oob_skb) { +- kfree_skb(u->oob_skb); +- u->oob_skb = NULL; +- } +-#endif + WARN_ON(refcount_read(&sk->sk_wmem_alloc)); + WARN_ON(!sk_unhashed(sk)); + WARN_ON(sk->sk_socket); +@@ -620,6 +614,13 @@ static void unix_release_sock(struct sock *sk, int embrion) + + unix_state_unlock(sk); + ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ if (u->oob_skb) { ++ kfree_skb(u->oob_skb); ++ u->oob_skb = NULL; ++ } ++#endif ++ + wake_up_interruptible_all(&u->peer_wait); + + if (skpair != NULL) { |