af_unix: fix struct pid leaks in OOB support
syzbot reported struct pid leak [1].
Issue is that queue_oob() calls maybe_add_creds() which potentially
holds a reference on a pid.
But skb->destructor is not set (either directly or by calling
unix_scm_to_skb())
This means that subsequent kfree_skb() or consume_skb() would leak
this reference.
In this fix, I chose to fully support scm even for the OOB message.
[1]
BUG: memory leak
unreferenced object 0xffff8881053e7f80 (size 128):
comm "syz-executor242", pid 5066, jiffies
4294946079 (age 13.220s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<
ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180
[<
ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285
[<
ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684
[<
ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825
[<
ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<
ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<
ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes:
314001f0bf92 ("af_unix: Add OOB support")
Reported-by: syzbot+7699d9e5635c10253a27@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Rao Shoaib <rao.shoaib@oracle.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230307164530.771896-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
projects / linux-2.6-microblaze.git / commit