Date: Sat, 18 Sep 2021 14:42:12 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 50b07c1f7131 - main - unix: Fix a use-after-free in unp_drop() Message-ID: <202109181442.18IEgCqN024464@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51 commit 50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-09-18 14:38:39 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-09-18 14:38:39 +0000 unix: Fix a use-after-free in unp_drop() We need to load the socket pointer after locking the PCB, otherwise the socket may have been detached and freed by the time that unp_drop() sets so_error. This previously went unnoticed as the socket zone was _NOFREE. Reported by: pho MFC after: 1 week --- sys/kern/uipc_usrreq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 5add930bfa8e..0ee29143c731 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1971,7 +1971,7 @@ unp_shutdown(struct unpcb *unp) static void unp_drop(struct unpcb *unp) { - struct socket *so = unp->unp_socket; + struct socket *so; struct unpcb *unp2; /* @@ -1981,6 +1981,7 @@ unp_drop(struct unpcb *unp) */ UNP_PCB_LOCK(unp); + so = unp->unp_socket; if (so) so->so_error = ECONNRESET; if ((unp2 = unp_pcb_lock_peer(unp)) != NULL) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109181442.18IEgCqN024464>