| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iJoxoA92tF3avTTL+rthen_iYfA6pc6wevNRkwnvaLWjg@mail.gmail.com>
Date: Tue, 30 Apr 2024 16:10:38 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, Jon Maloy <jmaloy@...hat.com>,
Ying Xue <ying.xue@...driver.com>, "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, tipc-discussion@...ts.sourceforge.net,
Long Xin <lxin@...hat.com>, stable@...r.kernel.org, zdi-disclosures@...ndmicro.com
Subject: Re: [PATCH net] tipc: fix UAF in error path
On Tue, Apr 30, 2024 at 3:53 PM Paolo Abeni <pabeni@...hat.com> wrote:
>
> Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported
> a UAF in the tipc_buf_append() error path:
>
> BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0
> linux/net/core/skbuff.c:1183
> Read of size 8 at addr ffff88804d2a7c80 by task poc/8034
>
>
> In the critical scenario, either the relevant skb is freed or its
> ownership is transferred into a frag_lists. In both cases, the cleanup
> code must not free it again: we need to clear the skb reference earlier.
>
> Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers")
> Cc: stable@...r.kernel.org
> Reported-by: zdi-disclosures@...ndmicro.com # ZDI-CAN-23852
> Acked-by: Xin Long <lucien.xin@...il.com>
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> ---
> net/tipc/msg.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists