Bug 239893

Summary: soclose use after free
Product: Base System Reporter: Chris Miller <chrismiller.bsd>
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Some People CC: ae, chris, glebius, rlwestlund
Priority: --- Flags: koobs: mfc-stable12?
koobs: mfc-stable11?
Version: CURRENT   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241162

Description Chris Miller 2019-08-15 22:33:52 UTC
In soclose() the second loop through lqueue should use TAILQ_FOREACH_SAFE since the socket is freed within the loop by soabort(), so the so_list pointer in that socket could be garbage.
Comment 1 commit-hook freebsd_committer 2019-08-19 12:42:20 UTC
A commit references this bug:

Author: ae
Date: Mon Aug 19 12:42:04 UTC 2019
New revision: 351214
URL: https://svnweb.freebsd.org/changeset/base/351214

Log:
  Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose().

  PR:		239893
  MFC after:	1 week

Changes:
  head/sys/kern/uipc_socket.c
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-19 12:47:12 UTC
^Triage: Assign to committer resolving
Comment 3 commit-hook freebsd_committer 2019-08-26 09:29:57 UTC
A commit references this bug:

Author: ae
Date: Mon Aug 26 09:29:15 UTC 2019
New revision: 351507
URL: https://svnweb.freebsd.org/changeset/base/351507

Log:
  MFC r351214:
    Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose().

    PR:		239893

Changes:
_U  stable/12/
  stable/12/sys/kern/uipc_socket.c
Comment 4 Andrey V. Elsukov freebsd_committer 2019-08-26 10:10:42 UTC
Fixed in head/ and stable/12. Thanks!