Patch "udp6: Fix race condition in udp6_sendmsg & connect" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 5 Jun 2023 07:50:52 -0400

This is a note to let you know that I've just added the patch titled

    udp6: Fix race condition in udp6_sendmsg & connect

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     udp6-fix-race-condition-in-udp6_sendmsg-connect.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit bb7fa174539bff4a50e35c694272454ae3a02fd6
Author: Vladislav Efanov <VEfanov@xxxxxxxxx>
Date:   Tue May 30 14:39:41 2023 +0300

    udp6: Fix race condition in udp6_sendmsg & connect
    
    [ Upstream commit 448a5ce1120c5bdbce1f1ccdabcd31c7d029f328 ]
    
    Syzkaller got the following report:
    BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018
    Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255
    
    The function sk_setup_caps (called by ip6_sk_dst_store_flow->
    ip6_dst_store) referenced already freed memory as this memory was
    freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow->
    sk_dst_check.
    
              task1 (connect)              task2 (udp6_sendmsg)
            sk_setup_caps->sk_dst_set |
                                      |  sk_dst_check->
                                      |      sk_dst_set
                                      |      dst_release
            sk_setup_caps references  |
            to already freed dst_entry|
    
    The reason for this race condition is: sk_setup_caps() keeps using
    the dst after transferring the ownership to the dst cache.
    
    Found by Linux Verification Center (linuxtesting.org) with syzkaller.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Vladislav Efanov <VEfanov@xxxxxxxxx>
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/core/sock.c b/net/core/sock.c
index b8f8252d36819..2fba329e8c7a5 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2029,7 +2029,6 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
 {
 	u32 max_segs = 1;
 
-	sk_dst_set(sk, dst);
 	sk->sk_route_caps = dst->dev->features | sk->sk_route_forced_caps;
 	if (sk->sk_route_caps & NETIF_F_GSO)
 		sk->sk_route_caps |= NETIF_F_GSO_SOFTWARE;
@@ -2044,6 +2043,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
 		}
 	}
 	sk->sk_gso_max_segs = max_segs;
+	sk_dst_set(sk, dst);
 }
 EXPORT_SYMBOL_GPL(sk_setup_caps);
 






