Commit 7406300a authored Sep 12, 2024 by Eric Dumazet Committed by Zhang Changzhong Sep 12, 2024

ipv6: prevent possible UAF in ip6_xmit()

stable inclusion
from stable-v6.6.48
commit 124b428fe28064c809e4237b0b38e97200a8a4a8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZA
CVE: CVE-2024-44985

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=124b428fe28064c809e4237b0b38e97200a8a4a8



---------------------------

[ Upstream commit 2d5ff7e339d04622d8282661df36151906d0e1c7 ]

If skb_expand_head() returns NULL, skb has been freed
and the associated dst/idev could also have been freed.

We must use rcu_read_lock() to prevent a possible UAF.

Fixes: 0c9f227b ("ipv6: use skb_expand_head in ip6_xmit")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-4-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>

parent 13706c95

net/ipv6/ip6_output.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -277,11 +277,15 @@ int ip6_xmit(const struct sock sk, struct sk_buff skb, struct flowi6 *fl6,
		head_room += opt->opt_nflen + opt->opt_flen;

		if (unlikely(head_room > skb_headroom(skb))) {
		/* Make sure idev stays alive */
		rcu_read_lock();
		skb = skb_expand_head(skb, head_room);
		if (!skb) {
		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
		rcu_read_unlock();
		return -ENOBUFS;
		}
		rcu_read_unlock();
		}

		if (opt) {