On Tue, Apr 30, 2024 at 3:53 PM Paolo Abeni <pabeni@xxxxxxxxxx> wrote:
>
> Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported
> a UAF in the tipc_buf_append() error path:
>
> BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0
> linux/net/core/skbuff.c:1183
> Read of size 8 at addr ffff88804d2a7c80 by task poc/8034
>
>
> In the critical scenario, either the relevant skb is freed or its
> ownership is transferred into a frag_lists. In both cases, the cleanup
> code must not free it again: we need to clear the skb reference earlier.
>
> Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: zdi-disclosures@xxxxxxxxxxxxxx # ZDI-CAN-23852
> Acked-by: Xin Long <lucien.xin@xxxxxxxxx>
> Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
> ---
> net/tipc/msg.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
