diff mbox series

[SRU,F/J/L/M,1/1] net/rose: Fix Use-After-Free in rose_ioctl

Message ID 20240117222555.51460-2-yuxuan.luo@canonical.com
State New
Headers show
Series CVE-2023-51782 | expand

Commit Message

Yuxuan Luo Jan. 17, 2024, 10:25 p.m. UTC 
From: Hyunwoo Kim <v4bel@theori.io>

Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53)
CVE-2023-51782
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/rose/af_rose.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 6fb158172ddc2..fc9ef08788f73 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1285,9 +1285,11 @@  static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 	case TIOCINQ: {
 		struct sk_buff *skb;
 		long amount = 0L;
-		/* These two are safe on a single CPU system as only user tasks fiddle here */
+
+		spin_lock_irq(&sk->sk_receive_queue.lock);
 		if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)
 			amount = skb->len;
+		spin_unlock_irq(&sk->sk_receive_queue.lock);
 		return put_user(amount, (unsigned int __user *) argp);
 	}