Patch "ip_vti: fix potential slab-use-after-free in decode_session6" has been added to the 6.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 20 Aug 2023 19:33:49 -0400

This is a note to let you know that I've just added the patch titled

    ip_vti: fix potential slab-use-after-free in decode_session6

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7cde476def3a2d996fa883ce3ab18df54d320ba3
Author: Zhengchao Shao <shaozhengchao@xxxxxxxxxx>
Date:   Mon Jul 10 17:40:53 2023 +0800

    ip_vti: fix potential slab-use-after-free in decode_session6
    
    [ Upstream commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b ]
    
    When ip_vti device is set to the qdisc of the sfb type, the cb field
    of the sent skb may be modified during enqueuing. Then,
    slab-use-after-free may occur when ip_vti device sends IPv6 packets.
    As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
    _decode_session6.") showed, xfrm_decode_session was originally intended
    only for the receive path. IP6CB(skb)->nhoff is not set during
    transmission. Therefore, set the cb field in the skb to 0 before
    sending packets.
    
    Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.")
    Signed-off-by: Zhengchao Shao <shaozhengchao@xxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 53bfd8af69203..d1e7d0ceb7edd 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -287,12 +287,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
-		xfrm_decode_session(skb, &fl, AF_INET);
 		memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+		xfrm_decode_session(skb, &fl, AF_INET);
 		break;
 	case htons(ETH_P_IPV6):
-		xfrm_decode_session(skb, &fl, AF_INET6);
 		memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+		xfrm_decode_session(skb, &fl, AF_INET6);
 		break;
 	default:
 		goto tx_err;






