Patch "net/rose: Fix Use-After-Free in rose_ioctl" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    net/rose: Fix Use-After-Free in rose_ioctl

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-rose-fix-use-after-free-in-rose_ioctl.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 508918b6ded6045d9095076e392d84e9690f6e1f
Author: Hyunwoo Kim <v4bel@xxxxxxxxx>
Date:   Sat Dec 9 05:05:38 2023 -0500

    net/rose: Fix Use-After-Free in rose_ioctl
    
    [ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ]
    
    Because rose_ioctl() accesses sk->sk_receive_queue
    without holding a sk->sk_receive_queue.lock, it can
    cause a race with rose_accept().
    A use-after-free for skb occurs with the following flow.
    ```
    rose_ioctl() -> skb_peek()
    rose_accept() -> skb_dequeue() -> kfree_skb()
    ```
    Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Hyunwoo Kim <v4bel@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index ac2ea4ebf7c7c..04e5e01002ae0 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1309,9 +1309,11 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 	case TIOCINQ: {
 		struct sk_buff *skb;
 		long amount = 0L;
-		/* These two are safe on a single CPU system as only user tasks fiddle here */
+
+		spin_lock_irq(&sk->sk_receive_queue.lock);
 		if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)
 			amount = skb->len;
+		spin_unlock_irq(&sk->sk_receive_queue.lock);
 		return put_user(amount, (unsigned int __user *) argp);
 	}
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux