From 640fe1be5bff1b9fa29895bbded99c4c83e0d9e7 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 12 Sep 2024 15:52:22 +0800 Subject: [PATCH] ipv6: fix possible UAF in ip6_finish_output2() stable inclusion from stable-v6.6.48 commit 6ab6bf731354a6fdbaa617d1ec194960db61cf3b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZO CVE: CVE-2024-44986 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6ab6bf731354a6fdbaa617d1ec194960db61cf3b --------------------------- [ Upstream commit da273b377ae0d9bd255281ed3c2adb228321687b ] If skb_expand_head() returns NULL, skb has been freed and associated dst/idev could also have been freed. We need to hold rcu_read_lock() to make sure the dst and associated idev are alive. Fixes: 5796015fa968 ("ipv6: allocate enough headroom in ip6_finish_output2()") Signed-off-by: Eric Dumazet Cc: Vasily Averin Reviewed-by: David Ahern Link: https://patch.msgid.link/20240820160859.3786976-3-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Signed-off-by: Zhengchao Shao Signed-off-by: Zhang Changzhong --- net/ipv6/ip6_output.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index db8d0e1bf69f..888b380ea1be 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -70,11 +70,15 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * /* Be paranoid, rather than too clever. */ if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) { + /* Make sure idev stays alive */ + rcu_read_lock(); skb = skb_expand_head(skb, hh_len); if (!skb) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); + rcu_read_unlock(); return -ENOMEM; } + rcu_read_unlock(); } hdr = ipv6_hdr(skb); -- Gitee