UPSTREAM: net/rose: Fix Use-After-Free in rose_ioctl
[ Upstream commit 810c38a3 ] Because rose_ioctl() accesses sk->sk_receive_queue without holding a sk->sk_receive_queue.lock, it can cause a race with rose_accept(). A use-after-free for skb occurs with the following flow. ``` rose_ioctl() -> skb_peek() rose_accept() -> skb_dequeue() -> kfree_skb() ``` Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue. Bug: 321175740 Fixes: 1da177e4 ("Linux-2.6.12-rc2") Signed-off-by:Hyunwoo Kim <v4bel@theori.io> Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX Signed-off-by:
Paolo Abeni <pabeni@redhat.com> Signed-off-by:
Sasha Levin <sashal@kernel.org> (cherry picked from commit 3f1f6a94) Signed-off-by:
Lee Jones <joneslee@google.com> Change-Id: I94d2aae6221fb95cb285e1a6d0c6fe39a70e35d2
Showing
No files found.
Loading
Please register or sign in to comment