Re: Use-after-free access in j1939_session_deactivate

On Mon, Jul 12, 2021 at 03:40:46PM -0700, Xiaochen Zou wrote:

Hi, It looks like there are multiple use-after-free accesses in j1939_session_deactivate()

static bool j1939_session_deactivate(struct j1939_session *session) { bool active;

j1939_session_list_lock(session->priv); active = j1939_session_deactivate_locked(session); //session can be freed inside j1939_session_list_unlock(session->priv); // It causes UAF read and write

return active; }

session can be freed by j1939_session_deactivate_locked->j1939_session_put->__j1939_session_release->j1939_session_destroy->kfree. Therefore it makes the unlock function perform UAF access.

Great, can you make up a patch to fix this issue so you can get credit for finding and solving it?

thanks,

greg k-h