From: Eric Dumazet <edumazet@xxxxxxxxxx>
commit 2d5ff7e339d04622d8282661df36151906d0e1c7 upstream.
If skb_expand_head() returns NULL, skb has been freed
and the associated dst/idev could also have been freed.
We must use rcu_read_lock() to prevent a possible UAF.
Fixes: 0c9f227bee11 ("ipv6: use skb_expand_head in ip6_xmit")
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: Vasily Averin <vasily.averin@xxxxxxxxx>
Reviewed-by: David Ahern <dsahern@xxxxxxxxxx>
Link: https://patch.msgid.link/20240820160859.3786976-4-edumazet@xxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv6/ip6_output.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -272,11 +272,15 @@ int ip6_xmit(const struct sock *sk, stru
head_room += opt->opt_nflen + opt->opt_flen;
if (unlikely(head_room > skb_headroom(skb))) {
+ /* Make sure idev stays alive */
+ rcu_read_lock();
skb = skb_expand_head(skb, head_room);
if (!skb) {
IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+ rcu_read_unlock();
return -ENOBUFS;
}
+ rcu_read_unlock();
}
if (opt) {
Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are
queue-5.10/skb_expand_head-adjust-skb-truesize-incorrectly.patch
queue-5.10/ipv6-prevent-possible-uaf-in-ip6_xmit.patch
queue-5.10/ipv6-fix-possible-uaf-in-ip6_finish_output2.patch
queue-5.10/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch
queue-5.10/phy-core-fix-that-api-devm_phy_put-fails-to-release-the-phy.patch
