linux/drivers/net
Peter Hurley ee9159ddce wan/x25: Fix use-after-free in x25_asy_open_tty()
The N_X25 line discipline may access the previous line discipline's closed
and already-freed private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-01 15:17:42 -05:00
..
appletalk
arcnet arcnet/com20020: add LEDS_CLASS dependency 2015-11-03 11:29:56 -05:00
bonding bonding: fix panic on non-ARPHRD_ETHER enslave failure 2015-11-07 13:17:32 -05:00
caif net: caif: check return value of alloc_netdev 2015-11-09 11:31:13 -05:00
can can: remove obsolete assignment for CAN protocol error type 2015-11-23 09:37:38 +01:00
cris
dsa net: dsa: mv88e6060: replace magic values with register defines 2015-11-15 20:16:16 -05:00
ethernet net: fsl: Fix error checking for platform_get_irq() 2015-11-30 15:19:44 -05:00
fddi net/fddi: remove HWM_REVERSE() macro 2015-08-13 21:12:17 -07:00
fjes fjes: fix inconsistent indenting 2015-11-15 17:09:23 -05:00
hamradio Merge branch 'x86/urgent' into x86/asm to fix up conflicts and to pick up fixes 2015-08-18 09:39:47 +02:00
hippi
hyperv flow_dissector: Add flags argument to skb_flow_dissector functions 2015-09-01 15:06:22 -07:00
ieee802154 spi: Updates for v4.4 2015-11-05 13:15:12 -08:00
ipvlan ipvlan: fix use after free of skb 2015-11-17 14:39:29 -05:00
irda net: irda: pxaficp_ir: dmaengine conversion 2015-09-28 22:32:48 -07:00
phy broadcom: fix PHY_ID_BCM5481 entry in the id table 2015-11-23 23:29:27 -05:00
plip
ppp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-11-03 13:41:45 -05:00
slip ppp, slip: Validate VJ compression slot parameters completely 2015-11-02 16:25:00 -05:00
team net: team: convert to using IFF_NO_QUEUE 2015-08-18 11:55:05 -07:00
usb net: cdc_ncm: fix NULL pointer deref in cdc_ncm_bind_common 2015-11-24 14:26:16 -05:00
vmxnet3 Driver: Vmxnet3: Fix use of mfTableLen for big endian architectures 2015-11-16 15:06:47 -05:00
wan wan/x25: Fix use-after-free in x25_asy_open_tty() 2015-12-01 15:17:42 -05:00
wimax
wireless rtlwifi: rtl8821ae: Fix lockups on boot 2015-11-17 15:58:53 +02:00
xen-netback xen: features for 4.4-rc0 2015-11-04 17:32:42 -08:00
Kconfig net: Add IPv6 support to VRF device 2015-10-13 04:55:07 -07:00
LICENSE.SRC
Makefile fjes: Introduce FUJITSU Extended Socket Network Device driver 2015-08-24 14:06:33 -07:00
Space.c
dummy.c net: dummy: add more features 2015-10-21 19:36:10 -07:00
eql.c
geneve.c geneve: add IPv6 bits to geneve_fill_metadata_dst 2015-10-30 12:10:54 +09:00
ifb.c
loopback.c net: loopback: convert to using IFF_NO_QUEUE 2015-08-18 11:55:05 -07:00
macvlan.c macvlan: fix leak in macvlan_handle_frame 2015-11-17 14:39:29 -05:00
macvtap.c macvtap: Resolve possible __might_sleep warning in macvtap_do_read() 2015-11-09 12:04:44 -05:00
mdio.c
mii.c
netconsole.c netconsole: use per-attribute show and store methods 2015-10-13 22:17:51 -07:00
nlmon.c net: nlmon: convert to using IFF_NO_QUEUE 2015-08-18 11:55:05 -07:00
ntb_netdev.c NTB: Add flow control to the ntb_netdev 2015-09-07 15:17:08 -04:00
rionet.c bus: subsys: update return type of ->remove_dev() to void 2015-08-05 17:08:14 -07:00
sb1000.c
sungem_phy.c
tun.c tun: use sk_fullsock() before reading sk->sk_tsflags 2015-10-12 19:45:48 -07:00
veth.c net: veth: enable noqueue operation by default 2015-08-18 11:55:04 -07:00
virtio_net.c virtio-net: avoid unnecessary sg initialzation 2015-08-27 15:51:45 -07:00
vrf.c vrf: fix double free and memory corruption on register_netdevice failure 2015-11-23 17:52:46 -05:00
vxlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
xen-netfront.c xen: features for 4.4-rc0 2015-11-04 17:32:42 -08:00