Xin Long 1daec08156 tipc: re-fetch skb cb after tipc_msg_validate ... [ Upstream commit 3067bc61fc ] As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate(). Fixes: fc1b6d6de2 ("tipc: introduce TIPC encryption & authentication") Reported-by: Shuang Li <shuali@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-12-08 11:28:41 +01:00
..
addr.c	tipc: introduce new unified address type for internal use	2021-03-17 11:51:04 -07:00
addr.h	tipc: introduce new unified address type for internal use	2021-03-17 11:51:04 -07:00
bcast.c	net: tipc: fix FB_MTU eat two pages	2021-06-28 13:31:57 -07:00
bcast.h
bearer.c	tipc: check attribute length for bearer name	2022-06-14 18:36:13 +02:00
bearer.h	net: tipc: Fix spelling errors in net/tipc module	2021-04-07 14:29:29 -07:00
core.c	tipc: fix use-after-free Read in tipc_named_reinit	2022-06-29 09:03:22 +02:00
core.h	tipc: simplify the finalize work queue	2021-05-18 13:22:09 -07:00
crypto.c	tipc: re-fetch skb cb after tipc_msg_validate	2022-12-08 11:28:41 +01:00
crypto.h	net/tipc: fix tipc header files for kernel-doc	2020-12-01 15:37:41 -08:00
diag.c
discover.c	tipc: check skb_linearize() return value in tipc_disc_rcv()	2022-12-02 17:41:06 +01:00
discover.h
eth_media.c
group.c
group.h
ib_media.c
Kconfig
link.c	tipc: fix incorrect order of state message data sanity check	2022-03-16 14:23:38 +01:00
link.h	tipc: simplify the finalize work queue	2021-05-18 13:22:09 -07:00
Makefile
monitor.c	tipc: fix shift wrapping bug in map_get()	2022-09-15 11:30:05 +02:00
monitor.h
msg.c	net: tipc: replace align() with ALIGN in msg.c	2021-06-28 13:31:57 -07:00
msg.h	net: tipc: fix FB_MTU eat two pages	2021-06-28 13:31:57 -07:00
name_distr.c	tipc: rate limit warning for received illegal binding update	2022-02-16 12:56:30 +01:00
name_distr.h	net/tipc: fix tipc header files for kernel-doc	2020-12-01 15:37:41 -08:00
name_table.c	tipc: Fix end of loop tests for list_for_each_entry()	2022-03-02 11:47:56 +01:00
name_table.h	tipc: simplify handling of lookup scope during multicast message reception	2021-06-03 14:06:39 -07:00
net.c	tipc: simplify the finalize work queue	2021-05-18 13:22:09 -07:00
net.h
netlink_compat.c	tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header	2022-11-16 09:58:19 +01:00
netlink.c
netlink.h
node.c	tipc: move bc link creation back to tipc_node_create	2022-07-07 17:53:28 +02:00
node.h
socket.c	net: Fix data-races around sysctl_[rw]mem(_offset)?.	2022-08-03 12:03:51 +02:00
socket.h
subscr.c	tipc:subscr.c: fix a spelling mistake	2021-06-10 13:48:43 -07:00
subscr.h	tipc: fix htmldoc and smatch warnings	2021-03-29 16:28:50 -07:00
sysctl.c
topsrv.c	tipc: add an extra conn_get in tipc_conn_alloc	2022-12-02 17:41:06 +01:00
topsrv.h
trace.c	net/tipc: fix various kernel-doc warnings	2020-12-01 15:37:46 -08:00
trace.h
udp_media.c	tipc: wait and exit until all work queues are done	2021-05-17 14:07:48 -07:00
udp_media.h