* [PATCH net] tipc: re-fetch skb cb after tipc_msg_validate
@ 2022-11-25 17:46 Xin Long
2022-11-29 2:20 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Xin Long @ 2022-11-25 17:46 UTC (permalink / raw)
To: network dev, tipc-discussion
Cc: davem, kuba, Eric Dumazet, Paolo Abeni, Jon Maloy, Ying Xue, Shuang Li
As the call trace shows, the original skb was freed in tipc_msg_validate(),
and dereferencing the old skb cb would cause an use-after-free crash.
BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
Call Trace:
<IRQ>
tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
...
Allocated by task 47078:
kmem_cache_alloc_node+0x158/0x4d0
__alloc_skb+0x1c1/0x270
tipc_buf_acquire+0x1e/0xe0 [tipc]
tipc_msg_create+0x33/0x1c0 [tipc]
tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
tipc_link_timeout+0x8b8/0xef0 [tipc]
tipc_node_timeout+0x2a1/0x960 [tipc]
call_timer_fn+0x2d/0x1c0
...
Freed by task 47078:
tipc_msg_validate+0x7b/0x440 [tipc]
tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
This patch fixes it by re-fetching the skb cb from the new allocated skb
after calling tipc_msg_validate().
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/tipc/crypto.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index f09316a9035f..d67440de011e 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -1971,6 +1971,9 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead,
/* Ok, everything's fine, try to synch own keys according to peers' */
tipc_crypto_key_synch(rx, *skb);
+ /* Re-fetch skb cb as skb might be changed in tipc_msg_validate */
+ skb_cb = TIPC_SKB_CB(*skb);
+
/* Mark skb decrypted */
skb_cb->decrypted = 1;
--
2.31.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] tipc: re-fetch skb cb after tipc_msg_validate
2022-11-25 17:46 [PATCH net] tipc: re-fetch skb cb after tipc_msg_validate Xin Long
@ 2022-11-29 2:20 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-11-29 2:20 UTC (permalink / raw)
To: Xin Long
Cc: netdev, tipc-discussion, davem, kuba, edumazet, pabeni, jmaloy,
ying.xue, shuali
Hello:
This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Fri, 25 Nov 2022 12:46:43 -0500 you wrote:
> As the call trace shows, the original skb was freed in tipc_msg_validate(),
> and dereferencing the old skb cb would cause an use-after-free crash.
>
> BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
> Call Trace:
> <IRQ>
> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
> tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
> tipc_rcv+0x744/0x1150 [tipc]
> ...
> Allocated by task 47078:
> kmem_cache_alloc_node+0x158/0x4d0
> __alloc_skb+0x1c1/0x270
> tipc_buf_acquire+0x1e/0xe0 [tipc]
> tipc_msg_create+0x33/0x1c0 [tipc]
> tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
> tipc_link_timeout+0x8b8/0xef0 [tipc]
> tipc_node_timeout+0x2a1/0x960 [tipc]
> call_timer_fn+0x2d/0x1c0
> ...
> Freed by task 47078:
> tipc_msg_validate+0x7b/0x440 [tipc]
> tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
> tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
> tipc_rcv+0x744/0x1150 [tipc]
>
> [...]
Here is the summary with links:
- [net] tipc: re-fetch skb cb after tipc_msg_validate
https://git.kernel.org/netdev/net/c/3067bc61fcfe
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-29 2:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-25 17:46 [PATCH net] tipc: re-fetch skb cb after tipc_msg_validate Xin Long
2022-11-29 2:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).