Commit 6d9b493e authored Jun 30, 2021 by Oleksij Rempel Committed by Zheng Zengkai Jul 06, 2021

can: j1939: fix Use-after-Free, hold skb ref while in use

stable inclusion
from stable-5.10.46
commit 509ab6bfdd0c76daebbad0f0af07da712116de22
bugzilla: 168323
CVE: NA

--------------------------------

commit 2030043e upstream.

This patch fixes a Use-after-Free found by the syzbot.

The problem is that a skb is taken from the per-session skb queue,
without incrementing the ref count. This leads to a Use-after-Free if
the skb is taken concurrently from the session queue due to a CTS.

Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/r/20210521115720.7533-1-o.rempel@pengutronix.de


Cc: Hillf Danton <hdanton@sina.com>
Cc: linux-stable <stable@vger.kernel.org>
Reported-by:  <syzbot+220c1a29987a9a490903@syzkaller.appspotmail.com>
Reported-by:  <syzbot+45199c1b73b4013525cf@syzkaller.appspotmail.com>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Chen Jun <chenjun102@huawei.com>
Acked-by: Weilong Chen <chenweilong@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 3ea36883

Show whitespace changes

Inline Side-by-side

Please to comment