ipv6: fix possible UAF in ip6_finish_output2() (1504108c) · Commits · CodeLinaro / la / kernel / msm · GitLab

Snippets Groups Projects

Commit 1504108c authored 3 months ago by Eric Dumazet Committed by Greg Kroah-Hartman 3 months ago

ipv6: fix possible UAF in ip6_finish_output2()


[ Upstream commit e891b36d ]

If skb_expand_head() returns NULL, skb has been freed
and associated dst/idev could also have been freed.

We need to hold rcu_read_lock() to make sure the dst and
associated idev are alive.

Fixes: 5796015f ("ipv6: allocate enough headroom in ip6_finish_output2()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-3-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit e891b36d)
Signed-off-by: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent ee6b1db1

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 4 additions and 0 deletions

lnx build @lnxbuild
mentioned in commit msm-5.10@c1f6eb35
· 6 days ago

mentioned in commit msm-5.10@c1f6eb35

mentioned in commit msm-5.10@c1f6eb35b3a5dfc34bfe931ffbc39c5f852bf325

Toggle commit list

Please register or to comment