diff mbox series

[net] tipc: re-fetch skb cb after tipc_msg_validate

Message ID 1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com (mailing list archive)
State Accepted
Commit 3067bc61fcfe3081bf4807ce65560f499e895e77
Delegated to: Netdev Maintainers
Headers show
Series [net] tipc: re-fetch skb cb after tipc_msg_validate | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers fail 1 blamed authors not CCed: tuong.t.lien@dektech.com.au; 1 maintainers not CCed: tuong.t.lien@dektech.com.au
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Xin Long Nov. 25, 2022, 5:46 p.m. UTC 
As the call trace shows, the original skb was freed in tipc_msg_validate(),
and dereferencing the old skb cb would cause an use-after-free crash.

  BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
  Call Trace:
   <IRQ>
   tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
   tipc_rcv+0x744/0x1150 [tipc]
  ...
  Allocated by task 47078:
   kmem_cache_alloc_node+0x158/0x4d0
   __alloc_skb+0x1c1/0x270
   tipc_buf_acquire+0x1e/0xe0 [tipc]
   tipc_msg_create+0x33/0x1c0 [tipc]
   tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
   tipc_link_timeout+0x8b8/0xef0 [tipc]
   tipc_node_timeout+0x2a1/0x960 [tipc]
   call_timer_fn+0x2d/0x1c0
  ...
  Freed by task 47078:
   tipc_msg_validate+0x7b/0x440 [tipc]
   tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
   tipc_rcv+0x744/0x1150 [tipc]

This patch fixes it by re-fetching the skb cb from the new allocated skb
after calling tipc_msg_validate().

Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/tipc/crypto.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org Nov. 29, 2022, 2:20 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Fri, 25 Nov 2022 12:46:43 -0500 you wrote:
> As the call trace shows, the original skb was freed in tipc_msg_validate(),
> and dereferencing the old skb cb would cause an use-after-free crash.
> 
>   BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
>   Call Trace:
>    <IRQ>
>    tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
>    tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
>    tipc_rcv+0x744/0x1150 [tipc]
>   ...
>   Allocated by task 47078:
>    kmem_cache_alloc_node+0x158/0x4d0
>    __alloc_skb+0x1c1/0x270
>    tipc_buf_acquire+0x1e/0xe0 [tipc]
>    tipc_msg_create+0x33/0x1c0 [tipc]
>    tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
>    tipc_link_timeout+0x8b8/0xef0 [tipc]
>    tipc_node_timeout+0x2a1/0x960 [tipc]
>    call_timer_fn+0x2d/0x1c0
>   ...
>   Freed by task 47078:
>    tipc_msg_validate+0x7b/0x440 [tipc]
>    tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
>    tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
>    tipc_rcv+0x744/0x1150 [tipc]
> 
> [...]

Here is the summary with links:
  - [net] tipc: re-fetch skb cb after tipc_msg_validate
    https://git.kernel.org/netdev/net/c/3067bc61fcfe

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index f09316a9035f..d67440de011e 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -1971,6 +1971,9 @@  static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead,
 	/* Ok, everything's fine, try to synch own keys according to peers' */
 	tipc_crypto_key_synch(rx, *skb);
 
+	/* Re-fetch skb cb as skb might be changed in tipc_msg_validate */
+	skb_cb = TIPC_SKB_CB(*skb);
+
 	/* Mark skb decrypted */
 	skb_cb->decrypted = 1;