From 81ca7835f2cb0c3ba4236e3bcf31d997c6f5d71a Mon Sep 17 00:00:00 2001 From: Cong Wang Date: Fri, 29 Jan 2016 11:24:24 -0800 Subject: NFC: Use GFP_USER for user-controlled kmalloc These two functions are called in sendmsg path, and the 'len' is passed from user-space, so we should not allow malicious users to OOM kernel on purpose. Reported-by: Dmitry Vyukov Acked-by: Eric Dumazet Reviewed-by: Julian Calaby Signed-off-by: Cong Wang Signed-off-by: Samuel Ortiz --- net/nfc/llcp_commands.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'net/nfc') diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c index 3621a902cb6e..3425532c39f7 100644 --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock, return -ENOBUFS; } - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM; @@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, if (local == NULL) return -ENODEV; - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM; -- cgit v1.2.3 From 03c05355543149bf610f4375e8382ee4fc0aaade Mon Sep 17 00:00:00 2001 From: Cong Wang Date: Fri, 29 Jan 2016 11:37:40 -0800 Subject: NFC: Close a race condition in llcp_sock_getname() llcp_sock_getname() checks llcp_sock->dev to make sure llcp_sock is already connected or bound, however, we could be in the middle of llcp_sock_bind() where llcp_sock->dev is bound and llcp_sock->service_name_len is set, but llcp_sock->service_name is not, in this case we would lead to copy some bytes from a NULL pointer. Just lock the sock since this is not a hot path anyway. Reported-by: Dmitry Vyukov Signed-off-by: Cong Wang Signed-off-by: Samuel Ortiz --- net/nfc/llcp_sock.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'net/nfc') diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index ecf0a0196f18..b9edf5fae6ae 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -509,6 +509,11 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *uaddr, memset(llcp_addr, 0, sizeof(*llcp_addr)); *len = sizeof(struct sockaddr_nfc_llcp); + lock_sock(sk); + if (!llcp_sock->dev) { + release_sock(sk); + return -EBADFD; + } llcp_addr->sa_family = AF_NFC; llcp_addr->dev_idx = llcp_sock->dev->idx; llcp_addr->target_idx = llcp_sock->target_idx; @@ -518,6 +523,7 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *uaddr, llcp_addr->service_name_len = llcp_sock->service_name_len; memcpy(llcp_addr->service_name, llcp_sock->service_name, llcp_addr->service_name_len); + release_sock(sk); return 0; } -- cgit v1.2.3