From 539bddd7f50b7e710bca8121e24ad9188765450b Mon Sep 17 00:00:00 2001
From: waterwin <qianjiaxing@huawei.com>
Date: Mon, 3 Jul 2023 03:32:55 +0000
Subject: [PATCH] hmdfs:use after free when rekey

Signed-off-by: waterwin <qianjiaxing@huawei.com>
---
 fs/hmdfs/comm/crypto.c    |  5 ++++-
 fs/hmdfs/comm/transport.c | 11 +++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/fs/hmdfs/comm/crypto.c b/fs/hmdfs/comm/crypto.c
index 60bb08f1697f..33c4be338f74 100644
--- a/fs/hmdfs/comm/crypto.c
+++ b/fs/hmdfs/comm/crypto.c
@@ -20,13 +20,15 @@ static void tls_crypto_set_key(struct connection *conn_impl, int tx)
 {
 	int rc = 0;
 	struct tcp_handle *tcp = conn_impl->connect_handle;
-	struct tls_context *ctx = tls_get_ctx(tcp->sock->sk);
+	struct tls_context *ctx = NULL;
 	struct cipher_context *cctx = NULL;
 	struct tls_sw_context_tx *sw_ctx_tx = NULL;
 	struct tls_sw_context_rx *sw_ctx_rx = NULL;
 	struct crypto_aead **aead = NULL;
 	struct tls12_crypto_info_aes_gcm_128 *crypto_info = NULL;
 
+	lock_sock(tcp->sock->sk);
+	ctx = tls_get_ctx(tcp->sock->sk);
 	if (tx) {
 		crypto_info = &conn_impl->send_crypto_info;
 		cctx = &ctx->tx;
@@ -48,6 +50,7 @@ static void tls_crypto_set_key(struct connection *conn_impl, int tx)
 				TLS_CIPHER_AES_GCM_128_KEY_SIZE);
 	if (rc)
 		hmdfs_err("crypto set key error");
+	release_sock(tcp->sock->sk);
 }
 
 int tls_crypto_info_init(struct connection *conn_impl)
diff --git a/fs/hmdfs/comm/transport.c b/fs/hmdfs/comm/transport.c
index 1754b1da2685..75fb9797857e 100644
--- a/fs/hmdfs/comm/transport.c
+++ b/fs/hmdfs/comm/transport.c
@@ -894,6 +894,8 @@ static int set_tfm(__u8 *master_key, struct crypto_aead *tfm)
 
 static bool is_tcp_socket(struct tcp_handle *tcp)
 {
+	struct inet_connection_sock *icsk;
+
 	if (!tcp || !tcp->sock || !tcp->sock->sk) {
 		hmdfs_err("invalid tcp handle");
 		return false;
@@ -904,6 +906,15 @@ static bool is_tcp_socket(struct tcp_handle *tcp)
 		return false;
 	}
 
+	lock_sock(tcp->sock->sk);
+	icsk = inet_csk(tcp->sock->sk);
+	if (icsk->icsk_ulp_ops) {
+		hmdfs_err("ulp not NULL");
+		release_sock(tcp->sock->sk);
+		return false;
+	}
+
+	release_sock(tcp->sock->sk);
 	return true;
 }
 
-- 
Gitee