mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 04:47:05 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/rose
History
Hyunwoo Kim 02af3c8ab5 net/rose: Fix Use-After-Free in rose_ioctl 
[ Upstream commit 810c38a369 ]

Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-12-20 15:32:33 +01:00
..
af_rose.c net/rose: Fix Use-After-Free in rose_ioctl 2023-12-20 15:32:33 +01:00
Makefile
rose_dev.c
rose_in.c
rose_link.c rose: Fix NULL pointer dereference in rose_send_frame() 2022-11-10 15:47:21 +01:00
rose_loopback.c rose: check NULL rose_loopback_neigh->loopback 2022-09-05 10:25:03 +02:00
rose_out.c
rose_route.c net: rose: fix netdev reference changes 2022-08-25 11:11:20 +02:00
rose_subr.c
rose_timer.c net: rose: fix UAF bugs caused by timer handler 2022-07-07 17:31:16 +02:00
sysctl_net_rose.c