mctp: prevent double key removal and unref

Currently, we have a bug where a simultaneous DROPTAG ioctl and socket
close may race, as we attempt to remove a key from lists twice, and
perform an unref for each removal operation. This may result in a uaf
when we attempt the second unref.

This change fixes the race by making __mctp_key_remove tolerant to being
called on a key that has already been removed from the socket/net lists,
and only performs the unref when we do the actual remove. We also need
to hold the list lock on the ioctl cleanup path.

This fix is based on a bug report and comprehensive analysis from
butt3rflyh4ck <butterflyhuangxx@gmail.com>, found via syzkaller.

Cc: stable@vger.kernel.org
Fixes: bf2078784326 ("mctp: Add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control")
Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
index c2fc2a7b252853af80515a0848ae1ee8806af120..b6b5e496fa403cc94331d3efbf1ba1dcbc405110 100644 (file)
--- a/net/mctp/af_mctp.c
+++ b/net/mctp/af_mctp.c
@@ -295,11 +295,12 @@ __must_hold(&net->mctp.keys_lock)
        mctp_dev_release_key(key->dev, key);
        spin_unlock_irqrestore(&key->lock, flags);
 
-       hlist_del(&key->hlist);
-       hlist_del(&key->sklist);
-
-       /* unref for the lists */
-       mctp_key_unref(key);
+       if (!hlist_unhashed(&key->hlist)) {
+               hlist_del_init(&key->hlist);
+               hlist_del_init(&key->sklist);
+               /* unref for the lists */
+               mctp_key_unref(key);
+       }
 
        kfree_skb(skb);
 }
@@ -373,9 +374,17 @@ static int mctp_ioctl_alloctag(struct mctp_sock *msk, unsigned long arg)
 
        ctl.tag = tag | MCTP_TAG_OWNER | MCTP_TAG_PREALLOC;
        if (copy_to_user((void __user *)arg, &ctl, sizeof(ctl))) {
-               spin_lock_irqsave(&key->lock, flags);
-               __mctp_key_remove(key, net, flags, MCTP_TRACE_KEY_DROPPED);
+               unsigned long fl2;
+               /* Unwind our key allocation: the keys list lock needs to be
+                * taken before the individual key locks, and we need a valid
+                * flags value (fl2) to pass to __mctp_key_remove, hence the
+                * second spin_lock_irqsave() rather than a plain spin_lock().
+                */
+               spin_lock_irqsave(&net->mctp.keys_lock, flags);
+               spin_lock_irqsave(&key->lock, fl2);
+               __mctp_key_remove(key, net, fl2, MCTP_TRACE_KEY_DROPPED);
                mctp_key_unref(key);
+               spin_unlock_irqrestore(&net->mctp.keys_lock, flags);
                return -EFAULT;
        }
 

diff --git a/net/mctp/route.c b/net/mctp/route.c
index 3b24b8d18b5b55d3f23b8f8af6cb7edb563dc171..2155f15a074cd10649a4e7e09ce0dba3acc66f72 100644 (file)
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -228,12 +228,12 @@ __releases(&key->lock)
 
        if (!key->manual_alloc) {
                spin_lock_irqsave(&net->mctp.keys_lock, flags);
-               hlist_del(&key->hlist);
-               hlist_del(&key->sklist);
+               if (!hlist_unhashed(&key->hlist)) {
+                       hlist_del_init(&key->hlist);
+                       hlist_del_init(&key->sklist);
+                       mctp_key_unref(key);
+               }
                spin_unlock_irqrestore(&net->mctp.keys_lock, flags);
-
-               /* unref for the lists */
-               mctp_key_unref(key);
        }
 
        /* and one for the local reference */