)]}'
{
  "commit": "9a95492208ed8d6cdf5f72c650ffb7c7f3ee129a",
  "tree": "eb0f2462c462f0960182311fe00efd67b5b5e86e",
  "parents": [
    "41608fb91449bdcc9067bd348df89ba3174024d4"
  ],
  "author": {
    "name": "Toke Høiland-Jørgensen",
    "email": "toke@toke.dk",
    "time": "Wed Aug 31 23:52:18 2022 +0200"
  },
  "committer": {
    "name": "Michael Kochera",
    "email": "kochera@google.com",
    "time": "Fri Oct 28 19:07:46 2022 +0000"
  },
  "message": "sch_sfb: Don\u0027t assume the skb is still around after enqueueing to child\n\n[ Upstream commit 9efd23297cca530bb35e1848665805d3fcdd7889 ]\n\nThe sch_sfb enqueue() routine assumes the skb is still alive after it has\nbeen enqueued into a child qdisc, using the data in the skb cb field in the\nincrement_qlen() routine after enqueue. However, the skb may in fact have\nbeen freed, causing a use-after-free in this case. In particular, this\nhappens if sch_cake is used as a child of sfb, and the GSO splitting mode\nof CAKE is enabled (in which case the skb will be split into segments and\nthe original skb freed).\n\nFix this by copying the sfb cb data to the stack before enqueueing the skb,\nand using this stack copy in increment_qlen() instead of the skb pointer\nitself.\n\nBUG\u003db/254986004\nTEST\u003dhttp://sponge2/3f325319-4b95-4fb1-b44b-126c5461917e\nRELEASE_NOTE\u003dFixed CVE-2022-3586 in the Linux Kernel.\n\ncos-patch: security-moderate\nReported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231\nFixes: e13e02a3c68d (\"net_sched: SFB flow scheduler\")\nSigned-off-by: Toke Høiland-Jørgensen \u003ctoke@toke.dk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nChange-Id: I7750ea27fd4d98d0d4b69b226c0756cc130fa595\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/38028\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Vaibhav Rustagi \u003cvaibhavrustagi@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "3d061a13d7ed2bd5294c3eddd1bd1bcdaafda464",
      "old_mode": 33188,
      "old_path": "net/sched/sch_sfb.c",
      "new_id": "0d761f454ae8b40e29c4dc05490f964c15df3d32",
      "new_mode": 33188,
      "new_path": "net/sched/sch_sfb.c"
    }
  ]
}