Re: [PATCH 2/4] nfc: Protect access to nfc_dev in an llcp_sock with a rwlock

From: Krzysztof Kozlowski
Date: Mon Nov 27 2023 - 05:38:27 EST

Next message: Masami Hiramatsu (Google): "[PATCH v5 0/1] PM: sleep: Expose last succeeded resumed timestamp in sysfs"
Previous message: Naresh Solanki: "Re: [PATCH v2] regulator: event: Add regulator netlink event support"
In reply to: Siddh Raman Pant: "[PATCH 2/4] nfc: Protect access to nfc_dev in an llcp_sock with a rwlock"
Next in thread: Krzysztof Kozlowski: "Re: [PATCH 0/4] Fix UAF caused by racing datagram sending and freeing of nfc_dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25/11/2023 21:26, Siddh Raman Pant wrote:
> llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame(), which accesses the
> nfc_dev from the llcp_sock for getting the headroom and tailroom needed
> for skb allocation.

This path should have reference to nfc device: nfc_get_device(). Why is
this not sufficient?

>
> Parallely, the nfc_dev can be freed via the nfc_unregister_device()
> codepath (nfc_release() being called due to the class unregister in
> nfc_exit()), leading to the UAF reported by Syzkaller.
>
> We have the following call tree before freeing:
>
> nfc_unregister_device()
> -> nfc_llcp_unregister_device()
> -> local_cleanup()
> -> nfc_llcp_socket_release()
>
> nfc_llcp_socket_release() sets the state of sockets to LLCP_CLOSED,
> and this is encountered necessarily before any freeing of nfc_dev.

Sorry, I don't understand. What is encountered before freeing?

>
> Thus, add a rwlock in struct llcp_sock to synchronize access to
> nfc_dev. nfc_dev in an llcp_sock will be NULLed in a write critical
> section when socket state has been set to closed. Thus, we can avoid
> the UAF by bailing out from a read critical section upon seeing NULL.
>
> Since this is repeated multiple times in nfc_llcp_socket_release(),
> extract the behaviour into a new function.
>
> Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
> Signed-off-by: Siddh Raman Pant <code@xxxxxxxx>
> ---
> net/nfc/llcp.h | 1 +
> net/nfc/llcp_commands.c | 27 ++++++++++++++++++++++++---
> net/nfc/llcp_core.c | 31 +++++++++++++++++++------------
> net/nfc/llcp_sock.c | 2 ++
> 4 files changed, 46 insertions(+), 15 deletions(-)
>
> diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h
> index d8345ed57c95..800cbe8e3d6b 100644
> --- a/net/nfc/llcp.h
> +++ b/net/nfc/llcp.h
> @@ -102,6 +102,7 @@ struct nfc_llcp_local {
> struct nfc_llcp_sock {
> struct sock sk;
> struct nfc_dev *dev;
> + rwlock_t rw_dev_lock;

I dislike the idea of introducing the third (!!!) lock here. It looks
like a bandaid for this one particular problem.

> struct nfc_llcp_local *local;
> u32 target_idx;
> u32 nfc_protocol;
> diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
> index 39c7c59bbf66..b132830bc206 100644
> --- a/net/nfc/llcp_commands.c
> +++ b/net/nfc/llcp_commands.c
> @@ -315,13 +315,24 @@ static struct sk_buff *llcp_allocate_pdu(struct nfc_llcp_sock *sock,
> {
> struct sk_buff *skb;
> int err, headroom, tailroom;
> + unsigned long irq_flags;
>
> if (sock->ssap == 0)
> return NULL;
>
> + read_lock_irqsave(&sock->rw_dev_lock, irq_flags);
> +
> + if (!sock->dev) {
> + read_unlock_irqrestore(&sock->rw_dev_lock, irq_flags);
> + pr_err("NFC device does not exit\n");

exist?

Best regards,
Krzysztof

Next message: Masami Hiramatsu (Google): "[PATCH v5 0/1] PM: sleep: Expose last succeeded resumed timestamp in sysfs"
Previous message: Naresh Solanki: "Re: [PATCH v2] regulator: event: Add regulator netlink event support"
In reply to: Siddh Raman Pant: "[PATCH 2/4] nfc: Protect access to nfc_dev in an llcp_sock with a rwlock"
Next in thread: Krzysztof Kozlowski: "Re: [PATCH 0/4] Fix UAF caused by racing datagram sending and freeing of nfc_dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]