linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00

History

Xin Long 3067bc61fc tipc: re-fetch skb cb after tipc_msg_validate As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate(). Fixes: `fc1b6d6de2` ("tipc: introduce TIPC encryption & authentication") Reported-by: Shuang Li <shuali@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2022-11-28 18:07:31 -08:00
..
addr.c	tipc: introduce new unified address type for internal use	2021-03-17 11:51:04 -07:00
addr.h	tipc: introduce new unified address type for internal use	2021-03-17 11:51:04 -07:00
bcast.c	net: tipc: fix FB_MTU eat two pages	2021-06-28 13:31:57 -07:00
bcast.h
bearer.c	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
bearer.h	tipc: constify dev_addr passing	2021-10-13 09:40:46 -07:00
core.c	tipc: fix use-after-free Read in tipc_named_reinit	2022-06-17 11:39:10 +01:00
core.h	tipc: simplify the finalize work queue	2021-05-18 13:22:09 -07:00
crypto.c	tipc: re-fetch skb cb after tipc_msg_validate	2022-11-28 18:07:31 -08:00
crypto.h
diag.c
discover.c	tipc: check skb_linearize() return value in tipc_disc_rcv()	2022-11-21 20:50:24 -08:00
discover.h
eth_media.c	tipc: constify dev_addr passing	2021-10-13 09:40:46 -07:00
group.c
group.h
ib_media.c	tipc: constify dev_addr passing	2021-10-13 09:40:46 -07:00
Kconfig
link.c	tipc: fix incorrect order of state message data sanity check	2022-03-08 22:18:42 -08:00
link.h	tipc: simplify the finalize work queue	2021-05-18 13:22:09 -07:00
Makefile
monitor.c	tipc: fix shift wrapping bug in map_get()	2022-09-02 12:26:29 +01:00
monitor.h
msg.c	net: tipc: replace align() with ALIGN in msg.c	2021-06-28 13:31:57 -07:00
msg.h	net: tipc: remove unused static inlines	2022-01-27 13:53:27 +00:00
name_distr.c	net/tipc: Remove unused struct distr_queue_item	2022-09-29 18:48:32 -07:00
name_distr.h
name_table.c	tipc: cleanup unused function	2022-06-17 11:43:57 +01:00
name_table.h	tipc: cleanup unused function	2022-06-17 11:43:57 +01:00
net.c	tipc: simplify the finalize work queue	2021-05-18 13:22:09 -07:00
net.h
netlink.c	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
netlink.h
netlink_compat.c	tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header	2022-11-07 19:53:40 -08:00
node.c	tipc: move bc link creation back to tipc_node_create	2022-06-27 11:51:56 +01:00
node.h
socket.c	treewide: use prandom_u32_max() when possible, part 1	2022-10-11 17:42:55 -06:00
socket.h
subscr.c	tipc:subscr.c: fix a spelling mistake	2021-06-10 13:48:43 -07:00
subscr.h	tipc: fix htmldoc and smatch warnings	2021-03-29 16:28:50 -07:00
sysctl.c
topsrv.c	tipc: add an extra conn_get in tipc_conn_alloc	2022-11-21 20:45:24 -08:00
topsrv.h
trace.c
trace.h
udp_media.c	tipc: wait and exit until all work queues are done	2021-05-17 14:07:48 -07:00
udp_media.h