From patchwork Fri Sep 14 19:02:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 970059 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="Xk/qQcbl"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42BlJZ0GMcz9s3x for ; Sat, 15 Sep 2018 05:02:38 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727246AbeIOASX (ORCPT ); Fri, 14 Sep 2018 20:18:23 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:35269 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727002AbeIOASX (ORCPT ); Fri, 14 Sep 2018 20:18:23 -0400 Received: by mail-pg1-f193.google.com with SMTP id 7-v6so4821853pgf.2 for ; Fri, 14 Sep 2018 12:02:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=VRLApkoVsPoyoWsOeRCRUfPtkjDn9EXttT6kO4NURwE=; b=Xk/qQcbl20aQ3x8sGJrPDyEzd0B1Zlr3GucRsUCTatQbOkC9enzQ/ABLxLvxvB05Qw PASg6gYrMg2OUE+zx9Cz2Sl3Ysf6KmHvBSvxJSEgKxsa82q+jFnUYKpZme8gQW1fRcJr Fxy0rwxYUGRZtIrzScja92ccHOOMrJLcOpLbZKJqCmklyXd3cvVno3UcTMOqnFwvtUqZ Sxdr8p65ZM+kAiA3cxcl+aKfK5+EGboVnZqg4xgAMZjY7FAmCXE0GUsPNz8neRkX+wqB QdQixe875ESRJvsKIkRw6EJdweVlxIe+KoIJai1t2XuHRMn96JRWxN9VkGMXR4GvcuUF Sk9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=VRLApkoVsPoyoWsOeRCRUfPtkjDn9EXttT6kO4NURwE=; b=lpqeHVuff97XbGaS7acsumPqT6RDbq12gIisdG1h4YGiIqZ58O0WltVpDTRTXoGDWf i6d/4qbKrPuRb5reVNaROHe5TWFBurVqLUQDbHbIyl0a7HHBOmEszgRMfGrobjvv2FHJ xVWxTuuLA+lSLVUiktLU85eyvCRKRyEpFSeF0jR8g6Hxl/YL5f/wZiESBRNkEuFGwlXS RdohWRJ28r2Q9hfdHbTC340nJMS26ctxLoRKeLXVBsOkuo3AAhfbvcHeZgUkMQOI01uA rH6hVtyVyH/fQPESUIH8Yzg4Lo9E1sWQSAK596sOf2sZmM6jej+tMFiJ5mIHqzzxfglV 4i1A== X-Gm-Message-State: APzg51Ad5UNPADJrZouU9qwE859cKUnZGOegy73KOvC8sjq5Ifma55Jy rYcY+dDf5UyN3rb/HPWUUn2n6PXvDns= X-Google-Smtp-Source: ANB0VdbyUizB5JicEp30VfQ7GhlAeZowOkkxGgaPd/JtAkjP66gMhGyIR6RGPYUhqOGZmhLQYT7+7A== X-Received: by 2002:a63:706:: with SMTP id 6-v6mr11198702pgh.137.1536951754639; Fri, 14 Sep 2018 12:02:34 -0700 (PDT) Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead]) by smtp.gmail.com with ESMTPSA id z11-v6sm7254880pgz.62.2018.09.14.12.02.33 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 14 Sep 2018 12:02:33 -0700 (PDT) From: Eric Dumazet To: "David S . Miller" Cc: netdev , Eric Dumazet , Eric Dumazet Subject: [PATCH net] ipv6: fix possible use-after-free in ip6_xmit() Date: Fri, 14 Sep 2018 12:02:31 -0700 Message-Id: <20180914190232.184779-1-edumazet@google.com> X-Mailer: git-send-email 2.19.0.397.gdd90340f6a-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In the unlikely case ip6_xmit() has to call skb_realloc_headroom(), we need to call skb_set_owner_w() before consuming original skb, otherwise we risk a use-after-free. Bring IPv6 in line with what we do in IPv4 to fix this. Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot --- net/ipv6/ip6_output.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 16f200f06500758c4cae84ea16229d5dbce912cb..f9f8f554d141676a7d342f85088d12d9a6815e9d 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -219,12 +219,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, kfree_skb(skb); return -ENOBUFS; } + if (skb->sk) + skb_set_owner_w(skb2, skb->sk); consume_skb(skb); skb = skb2; - /* skb_set_owner_w() changes sk->sk_wmem_alloc atomically, - * it is safe to call in our context (socket lock not held) - */ - skb_set_owner_w(skb, (struct sock *)sk); } if (opt->opt_flen) ipv6_push_frag_opts(skb, opt, &proto);