linux/net/appletalk
Hyunwoo Kim 5b87ac25e8 appletalk: Fix Use-After-Free in atalk_ioctl
[ Upstream commit 189ff16722 ]

Because atalk_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with atalk_recvmsg().
A use-after-free for skb occurs with the following flow.
```
atalk_ioctl() -> skb_peek()
atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
```
Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-12-20 15:17:37 +01:00
..
aarp.c net: appletalk: fix the usage of preposition 2021-06-08 11:37:41 -07:00
atalk_proc.c appletalk: Fix atalk_proc_init() return path 2020-08-03 15:48:32 -07:00
ddp.c appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-20 15:17:37 +01:00
dev.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
sysctl_net_atalk.c appletalk: Fix use-after-free in atalk_proc_exit 2019-03-03 13:01:49 -08:00