github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
189e797edf
linux/net/tipc
History
Cong Wang 26217e062f tipc: fix the skb_unshare() in tipc_buf_append() 
[ Upstream commit ed42989eab ]

skb_unshare() drops a reference count on the old skb unconditionally,
so in the failure case, we end up freeing the skb twice here.
And because the skb is allocated in fclone and cloned by caller
tipc_msg_reassemble(), the consequence is actually freeing the
original skb too, thus triggered the UAF by syzbot.

Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy().

Fixes: ff48b6222e ("tipc: use skb_unshare() instead in tipc_buf_append()")
Reported-and-tested-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com
Cc: Jon Maloy <jmaloy@redhat.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-10-29 09:54:56 +01:00
..
addr.c tipc: initialise addr_trail_end when setting node addresses 2019-08-25 10:48:05 +02:00
addr.h
bcast.c tipc: clean up skb list lock handling on send path 2020-07-29 10:16:47 +02:00
bcast.h
bearer.c tipc: fix a double free in tipc_enable_bearer() 2019-01-09 17:38:34 +01:00
bearer.h
core.c tipc: fix ordering of tipc module init and exit routine 2019-12-21 10:57:16 +01:00
core.h
diag.c tipc: switch to rhashtable iterator 2018-08-29 18:04:54 -07:00
discover.c tipc: fix lockdep warning when reinitilaizing sockets 2018-11-23 08:17:03 +01:00
discover.h
eth_media.c
group.c tipc: Fix memory leak in tipc_group_create_member() 2020-09-26 18:01:30 +02:00
group.h
ib_media.c
Kconfig
link.c tipc: clean up skb list lock handling on send path 2020-07-29 10:16:47 +02:00
link.h tipc: fix failover problem 2018-09-29 11:45:14 -07:00
Makefile
monitor.c tipc: update mon's self addr when node addr generated 2020-01-27 14:49:52 +01:00
monitor.h tipc: update mon's self addr when node addr generated 2020-01-27 14:49:52 +01:00
msg.c tipc: fix the skb_unshare() in tipc_buf_append() 2020-10-29 09:54:56 +01:00
msg.h
name_distr.c tipc: eliminate message disordering during binding table update 2020-01-27 14:50:00 +01:00
name_distr.h
name_table.c tipc: eliminate message disordering during binding table update 2020-01-27 14:50:00 +01:00
name_table.h tipc: eliminate message disordering during binding table update 2020-01-27 14:50:00 +01:00
net.c tipc: update mon's self addr when node addr generated 2020-01-27 14:49:52 +01:00
net.h tipc: fix lockdep warning when reinitilaizing sockets 2018-11-23 08:17:03 +01:00
netlink_compat.c tipc: fix uninit skb->data in tipc_nl_compat_dumpit() 2020-09-03 11:24:17 +02:00
netlink.c tipc: add missing attribute validation for MTU property 2020-03-18 07:14:18 +01:00
netlink.h
node.c tipc: clean up skb list lock handling on send path 2020-07-29 10:16:47 +02:00
node.h
socket.c tipc: fix shutdown() of connection oriented socket 2020-09-26 18:01:30 +02:00
socket.h tipc: call start and done ops directly in __tipc_nl_compat_dumpit() 2018-09-06 21:49:18 -07:00
subscr.c
subscr.h tipc: fix modprobe tipc failed after switch order of device registration 2019-06-04 08:02:34 +02:00
sysctl.c tipc: set sysctl_tipc_rmem and named_timeout right range 2020-01-27 14:50:39 +01:00
topsrv.c tipc: fix memory leak in service subscripting 2020-10-01 13:14:44 +02:00
topsrv.h
udp_media.c net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2020-04-29 16:31:17 +02:00
udp_media.h