Bug 255869

Summary: [PATCH] kern: Fix a use after free bug in sodealloc
Product: Base System Reporter: lylgood
Component: kernAssignee: Mark Johnston <markj>
Status: Closed FIXED    
Severity: Affects Many People CC: markj
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
adds a variable cr_uidinfo
none
V2: defer the crfree to avoid uaf. none

Description lylgood 2021-05-14 11:45:04 UTC 
Created attachment 224933 [details]
adds a variable cr_uidinfo

Bug File: sys/kern/uipc_socket.c

In Function sodealloc, so->so_cred is freed via crfree() at line 479.
But, the freed so->so_cred is dereferenced by so->so_cred->cr_uidinfo at line 486 and 489, which are uaf bugs.

My patch adds a variable cr_uidinfo to avoid the uaf bugs.
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2021-05-17 18:14:01 UTC 
I think this is not formally correct.  The uidinfo structure itself is protected by a reference count which is owned by the cred reference.  Really we should simply defer the crfree() call to until after the chgsbsize() calls.
Comment 2 lylgood 2021-05-18 03:25:22 UTC 
Created attachment 225050 [details]
V2: defer the crfree to avoid uaf.
Comment 3 lylgood 2021-05-18 03:27:27 UTC 
(In reply to Mark Johnston from comment #1)

Thanks for your relpy, i have correct my patch which defers the crfree().
Please check the correctness.

Thanks.
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-05-18 19:44:54 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b295c5ddcef4744ef7044d2327b4258b6ad055f0

commit b295c5ddcef4744ef7044d2327b4258b6ad055f0
Author:     Lv Yunlong <lylgood@foxmail.com>
AuthorDate: 2021-05-18 19:23:15 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-18 19:25:40 +0000

    socket: Release cred reference later in sodealloc()

    We dereference so->so_cred to update the per-uid socket buffer
    accounting, so the crfree() call must be deferred until after that
    point.

    PR:             255869
    MFC after:      1 week

 sys/kern/uipc_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2021-05-25 13:28:50 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=e53b671b4f75fe86ace1cb78566ccdbdb56aad01

commit e53b671b4f75fe86ace1cb78566ccdbdb56aad01
Author:     Lv Yunlong <lylgood@foxmail.com>
AuthorDate: 2021-05-18 19:23:15 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:26:00 +0000

    socket: Release cred reference later in sodealloc()

    We dereference so->so_cred to update the per-uid socket buffer
    accounting, so the crfree() call must be deferred until after that
    point.

    PR:             255869

    (cherry picked from commit b295c5ddcef4744ef7044d2327b4258b6ad055f0)

 sys/kern/uipc_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2021-05-25 13:29:55 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=3a84efbedca5c8c45e40bdcaa4e1ae0e15fff94d

commit 3a84efbedca5c8c45e40bdcaa4e1ae0e15fff94d
Author:     Lv Yunlong <lylgood@foxmail.com>
AuthorDate: 2021-05-18 19:23:15 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:28:54 +0000

    socket: Release cred reference later in sodealloc()

    We dereference so->so_cred to update the per-uid socket buffer
    accounting, so the crfree() call must be deferred until after that
    point.

    PR:             255869

    (cherry picked from commit b295c5ddcef4744ef7044d2327b4258b6ad055f0)

 sys/kern/uipc_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)