Patch "tipc: fix use-after-free in tipc_disc_rcv()" has been added to the 5.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 16 Jan 2023 16:18:09 +0100

This is a note to let you know that I've just added the patch titled

    tipc: fix use-after-free in tipc_disc_rcv()

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tipc-fix-use-after-free-in-tipc_disc_rcv.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9 Mon Sep 17 00:00:00 2001
From: Tuong Lien <tuong.t.lien@xxxxxxxxxxxxxx>
Date: Tue, 10 Dec 2019 15:21:05 +0700
Subject: tipc: fix use-after-free in tipc_disc_rcv()

From: Tuong Lien <tuong.t.lien@xxxxxxxxxxxxxx>

commit 31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9 upstream.

In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
to read the header data field but after the message skb has been freed,
that might result in a garbage value...

This commit fixes it by defining a new local variable to store the data
first, just like the other header fields' handling.

Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
Acked-by: Jon Maloy <jon.maloy@xxxxxxxxxxxx>
Signed-off-by: Tuong Lien <tuong.t.lien@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/tipc/discover.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -194,6 +194,7 @@ void tipc_disc_rcv(struct net *net, stru
 {
 	struct tipc_net *tn = tipc_net(net);
 	struct tipc_msg *hdr = buf_msg(skb);
+	u32 pnet_hash = msg_peer_net_hash(hdr);
 	u16 caps = msg_node_capabilities(hdr);
 	bool legacy = tn->legacy_addr_format;
 	u32 sugg = msg_sugg_node_addr(hdr);
@@ -245,9 +246,8 @@ void tipc_disc_rcv(struct net *net, stru
 		return;
 	if (!tipc_in_scope(legacy, b->domain, src))
 		return;
-	tipc_node_check_dest(net, src, peer_id, b, caps, signature,
-			     msg_peer_net_hash(hdr), &maddr, &respond,
-			     &dupl_addr);
+	tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash,
+			     &maddr, &respond, &dupl_addr);
 	if (dupl_addr)
 		disc_dupl_alert(b, src, &maddr);
 	if (!respond)


Patches currently in stable-queue which might be from tuong.t.lien@xxxxxxxxxxxxxx are

queue-5.4/tipc-add-a-missing-case-of-tipc_direct_msg-type.patch
queue-5.4/tipc-fix-use-after-free-in-tipc_disc_rcv.patch






