Bug 239893 - soclose use after free
Summary: soclose use after free
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Andrey V. Elsukov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-15 22:33 UTC by Chris Miller
Modified: 2019-08-26 10:10 UTC (History)
2 users (show)

See Also:
koobs: mfc-stable11?
koobs: mfc-stable12?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Miller 2019-08-15 22:33:52 UTC
In soclose() the second loop through lqueue should use TAILQ_FOREACH_SAFE since the socket is freed within the loop by soabort(), so the so_list pointer in that socket could be garbage.
Comment 1 commit-hook freebsd_committer 2019-08-19 12:42:20 UTC
A commit references this bug:

Author: ae
Date: Mon Aug 19 12:42:04 UTC 2019
New revision: 351214
URL: https://svnweb.freebsd.org/changeset/base/351214

Log:
  Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose().

  PR:		239893
  MFC after:	1 week

Changes:
  head/sys/kern/uipc_socket.c
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-19 12:47:12 UTC
^Triage: Assign to committer resolving
Comment 3 commit-hook freebsd_committer 2019-08-26 09:29:57 UTC
A commit references this bug:

Author: ae
Date: Mon Aug 26 09:29:15 UTC 2019
New revision: 351507
URL: https://svnweb.freebsd.org/changeset/base/351507

Log:
  MFC r351214:
    Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose().

    PR:		239893

Changes:
_U  stable/12/
  stable/12/sys/kern/uipc_socket.c
Comment 4 Andrey V. Elsukov freebsd_committer 2019-08-26 10:10:42 UTC
Fixed in head/ and stable/12. Thanks!