239893 – soclose use after free

Bug 239893 - soclose use after free

Summary: soclose use after free

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Andrey V. Elsukov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-08-15 22:33 UTC by Chris Miller
Modified:	2019-10-16 01:09 UTC (History)
CC List:	4 users (show)

See Also:	241162

Flags:	koobs: mfc-stable12? koobs: mfc-stable11?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Miller 2019-08-15 22:33:52 UTC

In soclose() the second loop through lqueue should use TAILQ_FOREACH_SAFE since the socket is freed within the loop by soabort(), so the so_list pointer in that socket could be garbage.

Comment 1 commit-hook freebsd_committer

2019-08-19 12:42:20 UTC

A commit references this bug:

Author: ae
Date: Mon Aug 19 12:42:04 UTC 2019
New revision: 351214
URL: https://svnweb.freebsd.org/changeset/base/351214

Log:
  Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose().

  PR:		239893
  MFC after:	1 week

Changes:
  head/sys/kern/uipc_socket.c

Comment 2 Kubilay Kocak freebsd_committer

2019-08-19 12:47:12 UTC

^Triage: Assign to committer resolving

Comment 3 commit-hook freebsd_committer

2019-08-26 09:29:57 UTC

A commit references this bug:

Author: ae
Date: Mon Aug 26 09:29:15 UTC 2019
New revision: 351507
URL: https://svnweb.freebsd.org/changeset/base/351507

Log:
  MFC r351214:
    Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose().

    PR:		239893

Changes:
_U  stable/12/
  stable/12/sys/kern/uipc_socket.c

Comment 4 Andrey V. Elsukov freebsd_committer

2019-08-26 10:10:42 UTC

Fixed in head/ and stable/12. Thanks!