Patch "tipc: re-fetch skb cb after tipc_msg_validate" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 3 Dec 2022 04:31:39 -0500

This is a note to let you know that I've just added the patch titled

    tipc: re-fetch skb cb after tipc_msg_validate

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9715b0e2e4fe5ad20311f6c338b0d36e33011582
Author: Xin Long <lucien.xin@xxxxxxxxx>
Date:   Fri Nov 25 12:46:43 2022 -0500

    tipc: re-fetch skb cb after tipc_msg_validate
    
    [ Upstream commit 3067bc61fcfe3081bf4807ce65560f499e895e77 ]
    
    As the call trace shows, the original skb was freed in tipc_msg_validate(),
    and dereferencing the old skb cb would cause an use-after-free crash.
    
      BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
      Call Trace:
       <IRQ>
       tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
       tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
       tipc_rcv+0x744/0x1150 [tipc]
      ...
      Allocated by task 47078:
       kmem_cache_alloc_node+0x158/0x4d0
       __alloc_skb+0x1c1/0x270
       tipc_buf_acquire+0x1e/0xe0 [tipc]
       tipc_msg_create+0x33/0x1c0 [tipc]
       tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
       tipc_link_timeout+0x8b8/0xef0 [tipc]
       tipc_node_timeout+0x2a1/0x960 [tipc]
       call_timer_fn+0x2d/0x1c0
      ...
      Freed by task 47078:
       tipc_msg_validate+0x7b/0x440 [tipc]
       tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
       tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
       tipc_rcv+0x744/0x1150 [tipc]
    
    This patch fixes it by re-fetching the skb cb from the new allocated skb
    after calling tipc_msg_validate().
    
    Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
    Reported-by: Shuang Li <shuali@xxxxxxxxxx>
    Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
    Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@xxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 6f91b9a306dc..de63d6d41645 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -1975,6 +1975,9 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead,
 	/* Ok, everything's fine, try to synch own keys according to peers' */
 	tipc_crypto_key_synch(rx, *skb);
 
+	/* Re-fetch skb cb as skb might be changed in tipc_msg_validate */
+	skb_cb = TIPC_SKB_CB(*skb);
+
 	/* Mark skb decrypted */
 	skb_cb->decrypted = 1;
 






