Commit 640fe1be authored Sep 12, 2024 by Eric Dumazet Committed by Zhang Changzhong Sep 12, 2024

ipv6: fix possible UAF in ip6_finish_output2()

stable inclusion
from stable-v6.6.48
commit 6ab6bf731354a6fdbaa617d1ec194960db61cf3b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZO
CVE: CVE-2024-44986

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6ab6bf731354a6fdbaa617d1ec194960db61cf3b



---------------------------

[ Upstream commit da273b377ae0d9bd255281ed3c2adb228321687b ]

If skb_expand_head() returns NULL, skb has been freed
and associated dst/idev could also have been freed.

We need to hold rcu_read_lock() to make sure the dst and
associated idev are alive.

Fixes: 5796015f ("ipv6: allocate enough headroom in ip6_finish_output2()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-3-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>

parent 13706c95

net/ipv6/ip6_output.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -70,11 +70,15 @@ static int ip6_finish_output2(struct net net, struct sock sk, struct sk_buff *

		/* Be paranoid, rather than too clever. */
		if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
		/* Make sure idev stays alive */
		rcu_read_lock();
		skb = skb_expand_head(skb, hh_len);
		if (!skb) {
		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
		rcu_read_unlock();
		return -ENOMEM;
		}
		rcu_read_unlock();
		}

		hdr = ipv6_hdr(skb);