iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ed42989eab
linux/net/tipc
History
Cong Wang ed42989eab tipc: fix the skb_unshare() in tipc_buf_append() 
skb_unshare() drops a reference count on the old skb unconditionally,
so in the failure case, we end up freeing the skb twice here.
And because the skb is allocated in fclone and cloned by caller
tipc_msg_reassemble(), the consequence is actually freeing the
original skb too, thus triggered the UAF by syzbot.

Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy().

Fixes: ff48b6222e ("tipc: use skb_unshare() instead in tipc_buf_append()")
Reported-and-tested-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com
Cc: Jon Maloy <jmaloy@redhat.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-10-09 18:22:56 -07:00
..
addr.c tipc: initialise addr_trail_end when setting node addresses 2019-08-11 21:40:04 -07:00
addr.h
bcast.c tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
bcast.h tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
bearer.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
bearer.h tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
core.c tipc: fix ordering of tipc module init and exit routine 2019-12-06 12:01:09 -08:00
core.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-16 21:51:42 -08:00
crypto.c tipc: fix using smp_processor_id() in preemptible 2020-08-30 19:12:17 -07:00
crypto.h tipc: introduce TIPC encryption & authentication 2019-11-08 14:01:59 -08:00
diag.c tipc: switch to rhashtable iterator 2018-08-29 18:04:54 -07:00
discover.c net: tipc: kerneldoc fixes 2020-07-13 17:20:40 -07:00
discover.h
eth_media.c tipc: Use is_broadcast_ether_addr() instead of memcmp() 2020-08-03 16:21:46 -07:00
group.c tipc: Fix memory leak in tipc_group_create_member() 2020-09-14 16:36:20 -07:00
group.h tipc: extend sock diag for group communication 2018-06-30 21:05:42 +09:00
ib_media.c tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
Kconfig tipc: not enable tipc when ipv6 works as a module 2020-08-16 21:04:55 -07:00
link.c net: tipc: kerneldoc fixes 2020-09-15 13:33:04 -07:00
link.h tipc: add support for broadcast rcv stats dumping 2020-05-26 15:16:52 -07:00
Makefile tipc: remove meaningless assignment in Makefile 2020-01-08 12:38:54 -08:00
monitor.c tipc: add NULL pointer check to prevent kernel oops 2020-03-15 00:07:00 -07:00
monitor.h tipc: update mon's self addr when node addr generated 2019-11-12 19:45:45 -08:00
msg.c tipc: fix the skb_unshare() in tipc_buf_append() 2020-10-09 18:22:56 -07:00
msg.h tipc: Use struct_size() helper 2020-06-19 20:15:25 -07:00
name_distr.c tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
name_distr.h tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
name_table.c tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
name_table.h tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
net.c tipc: make legacy address flag readable over netlink 2019-12-20 21:18:42 -08:00
net.h tipc: make legacy address flag readable over netlink 2019-12-20 21:18:42 -08:00
netlink_compat.c tipc: fix uninit skb->data in tipc_nl_compat_dumpit() 2020-08-16 21:03:19 -07:00
netlink.c tipc: add support for broadcast rcv stats dumping 2020-05-26 15:16:52 -07:00
netlink.h net: tipc: allocate attrs locally instead of using genl_family_attrbuf in compat_dumpit() 2019-10-06 15:44:47 +02:00
node.c net: tipc: kerneldoc fixes 2020-07-13 17:20:40 -07:00
node.h tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
socket.c tipc: fix shutdown() of connection oriented socket 2020-09-10 12:21:39 -07:00
socket.h tipc: call tsk_set_importance from tipc_topsrv_create_listener 2020-05-28 11:11:46 -07:00
subscr.c
subscr.h tipc: fix failed service subscription deletion 2020-05-13 12:33:19 -07:00
sysctl.c tipc: enable broadcast retrans via unicast 2020-05-26 15:16:52 -07:00
topsrv.c tipc: call tsk_set_importance from tipc_topsrv_create_listener 2020-05-28 11:11:46 -07:00
topsrv.h
trace.c tipc: remove unneeded semicolon in trace.c 2019-01-17 22:04:43 -08:00
trace.h tipc: add support for broadcast rcv stats dumping 2020-05-26 15:16:52 -07:00
udp_media.c ipv6: some fixes for ipv6_dev_find() 2020-08-18 15:58:53 -07:00
udp_media.h tipc: implement configuration of UDP media MTU 2018-04-20 11:04:05 -04:00