Patch "appletalk: Fix Use-After-Free in atalk_ioctl" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    appletalk: Fix Use-After-Free in atalk_ioctl

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     appletalk-fix-use-after-free-in-atalk_ioctl.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 34f96d45e87f5f693c3bcbdd182a12e5a987371b
Author: Hyunwoo Kim <v4bel@xxxxxxxxx>
Date:   Tue Dec 12 23:10:56 2023 -0500

    appletalk: Fix Use-After-Free in atalk_ioctl
    
    [ Upstream commit 189ff16722ee36ced4d2a2469d4ab65a8fee4198 ]
    
    Because atalk_ioctl() accesses sk->sk_receive_queue
    without holding a sk->sk_receive_queue.lock, it can
    cause a race with atalk_recvmsg().
    A use-after-free for skb occurs with the following flow.
    ```
    atalk_ioctl() -> skb_peek()
    atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
    ```
    Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Hyunwoo Kim <v4bel@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AX
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index c94b212d8e7ca..46adb8cefccf2 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1811,15 +1811,14 @@ static int atalk_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 		break;
 	}
 	case TIOCINQ: {
-		/*
-		 * These two are safe on a single CPU system as only
-		 * user tasks fiddle here
-		 */
-		struct sk_buff *skb = skb_peek(&sk->sk_receive_queue);
+		struct sk_buff *skb;
 		long amount = 0;
 
+		spin_lock_irq(&sk->sk_receive_queue.lock);
+		skb = skb_peek(&sk->sk_receive_queue);
 		if (skb)
 			amount = skb->len - sizeof(struct ddpehdr);
+		spin_unlock_irq(&sk->sk_receive_queue.lock);
 		rc = put_user(amount, (int __user *)argp);
 		break;
 	}




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux