ipv6: avoid use-after-free in ip6_fragment() (803e8486) · Commits · Mirrors / git.yoctoproject.org / linux-yocto · GitLab

Commit 803e8486 authored Dec 06, 2022 by

Eric Dumazet Committed by Jakub Kicinski Dec 07, 2022

ipv6: avoid use-after-free in ip6_fragment()

Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.

It seems to not be always true, at least for UDP stack.

syzbot reported:

BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618

CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15e/0x45d mm/kasan/report.c:395
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
 ip6_dst_idev include/net/ip6_fib.h:245 [inline]
 ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
 __ip6_finish_output net/ipv6/ip6_output.c:19...

parent 7d8c19bf

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 8208d7e5
· Dec 20, 2022

mentioned in commit 8208d7e5

mentioned in commit 8208d7e56b1e579320b9ff3712739ad2e63e1f86

Toggle commit list
mirror @mirror
mentioned in commit 7390c70b
· Dec 20, 2022

mentioned in commit 7390c70b

mentioned in commit 7390c70bd431cbfa6951477e2c80a301643e284b

Toggle commit list
mirror @mirror
mentioned in commit 6b6d3be3
· Dec 21, 2022

mentioned in commit 6b6d3be3

mentioned in commit 6b6d3be3661bff2746cab26147bd629aa034e094

Toggle commit list

Please register or to comment