can: j1939: fix Use-after-Free, hold skb ref while in use
mainline inclusion from mainline-v5.13-rc7 commit 2030043e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4CE CVE: CVE-2021-47232 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2030043e616cab40f510299f09b636285e0a3678 -------------------------------- This patch fixes a Use-after-Free found by the syzbot. The problem is that a skb is taken from the per-session skb queue, without incrementing the ref count. This leads to a Use-after-Free if the skb is taken concurrently from the session queue due to a CTS. Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol") Link: https://lore.kernel.org/r/20210521115720.7533-1-o.rempel@pengutronix.de Cc: Hillf Danton <hdanton@sina.com> Cc: linux-stable <stable@vger.kernel.org> Reported-by:<syzbot+220c1a29987a9a490903@syzkaller.appspotmail.com> Reported-by:
Loading
Please sign in to comment