[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id:
<175270801524.1359575.3541894487912368981.git-patchwork-notify@kernel.org>
Date: Wed, 16 Jul 2025 23:20:15 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, edumazet@...gle.com, ncardwell@...gle.com,
kuniyu@...gle.com, davem@...emloft.net, dsahern@...nel.org, kuba@...nel.org,
horms@...nel.org
Subject: Re: [PATCH net-next] tcp: fix UaF in tcp_prune_ofo_queue()
Hello:
This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@...nel.org>:
On Tue, 15 Jul 2025 10:13:58 +0200 you wrote:
> The CI reported a UaF in tcp_prune_ofo_queue():
>
> BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue+0x55d/0x660
> Read of size 4 at addr ffff8880134729d8 by task socat/20348
>
> CPU: 0 UID: 0 PID: 20348 Comm: socat Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full)
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> Call Trace:
> <TASK>
> dump_stack_lvl+0x82/0xd0
> print_address_description.constprop.0+0x2c/0x400
> print_report+0xb4/0x270
> kasan_report+0xca/0x100
> tcp_prune_ofo_queue+0x55d/0x660
> tcp_try_rmem_schedule+0x855/0x12e0
> tcp_data_queue+0x4dd/0x2260
> tcp_rcv_established+0x5e8/0x2370
> tcp_v4_do_rcv+0x4ba/0x8c0
> __release_sock+0x27a/0x390
> release_sock+0x53/0x1d0
> tcp_sendmsg+0x37/0x50
> sock_write_iter+0x3c1/0x520
> vfs_write+0xc09/0x1210
> ksys_write+0x183/0x1d0
> do_syscall_64+0xc1/0x380
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fcf73ef2337
> Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
> RSP: 002b:00007ffd4f924708 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcf73ef2337
> RDX: 0000000000002000 RSI: 0000555f11d1a000 RDI: 0000000000000008
> RBP: 0000555f11d1a000 R08: 0000000000002000 R09: 0000000000000000
> R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000008
> R13: 0000000000002000 R14: 0000555ee1a44570 R15: 0000000000002000
> </TASK>
>
> [...]
Here is the summary with links:
- [net-next] tcp: fix UaF in tcp_prune_ofo_queue()
https://git.kernel.org/netdev/net-next/c/7eeabfb23738
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Powered by blists - more mailing lists