Date: Sat, 25 Sep 2021 00:59:30 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 6955c22001b1 - stable/13 - unix: Fix a use-after-free in unp_drop() Message-ID: <202109250059.18P0xUIF095943@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6955c22001b13b0a3315be5f4c957c2a853ad43e commit 6955c22001b13b0a3315be5f4c957c2a853ad43e Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-09-18 14:38:39 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-09-25 00:59:20 +0000 unix: Fix a use-after-free in unp_drop() We need to load the socket pointer after locking the PCB, otherwise the socket may have been detached and freed by the time that unp_drop() sets so_error. This previously went unnoticed as the socket zone was _NOFREE. Reported by: pho (cherry picked from commit 50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51) --- sys/kern/uipc_usrreq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 3d7daac42001..5dca0714c400 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1962,7 +1962,7 @@ unp_shutdown(struct unpcb *unp) static void unp_drop(struct unpcb *unp) { - struct socket *so = unp->unp_socket; + struct socket *so; struct unpcb *unp2; /* @@ -1972,6 +1972,7 @@ unp_drop(struct unpcb *unp) */ UNP_PCB_LOCK(unp); + so = unp->unp_socket; if (so) so->so_error = ECONNRESET; if ((unp2 = unp_pcb_lock_peer(unp)) != NULL) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109250059.18P0xUIF095943>