appletalk: Fix Use-After-Free in atalk_ioctl
stable inclusion from stable-v4.19.302 commit 580ff9f59ab6537d8ce1d0d9f012cf970553ef3d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8RXOY CVE: CVE-2023-51781 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=580ff9f59ab6537d8ce1d0d9f012cf970553ef3d -------------------------------- [ Upstream commit 189ff16722ee36ced4d2a2469d4ab65a8fee4198 ] Because atalk_ioctl() accesses sk->sk_receive_queue without holding a sk->sk_receive_queue.lock, it can cause a race with atalk_recvmsg(). A use-after-free for skb occurs with the following flow. ``` atalk_ioctl() -> skb_peek() atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() ``` Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Signed-off-by:Hyunwoo Kim <v4bel@theori.io> Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AX Signed-off-by:
Loading
Please sign in to comment