atm: Fix Use-After-Free in do_vcc_ioctl (46ca4766) · Commits · CodeLinaro / la / kernel / msm

Commit 46ca4766 authored 1 year ago by Guillaume Nault

atm: Fix Use-After-Free in do_vcc_ioctl

JIRA: https://issues.redhat.com/browse/RHEL-21181


Upstream Status: linux.git
CVE: CVE-2023-51780

commit 24e90b9e
Author: Hyunwoo Kim <v4bel@theori.io>
Date:   Sat Dec 9 04:42:10 2023 -0500

    atm: Fix Use-After-Free in do_vcc_ioctl

    Because do_vcc_ioctl() accesses sk->sk_receive_queue
    without holding a sk->sk_receive_queue.lock, it can
    cause a race with vcc_recvmsg().
    A use-after-free for skb occurs with the following flow.
    ```
    do_vcc_ioctl() -> skb_peek()
    vcc_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
    ```
    Add sk->sk_receive_queue.lock to do_vcc_ioctl() to fix this issue.

    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
    Link: https://lore.kernel.org/r/20231209094210.GA403126@v4bel-B760M-AORUS-ELITE-AX


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Guillaume Nault <gnault@redhat.com>

parent fd4ecb56

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 5 additions and 2 deletions

Please register or to comment