cfa9ed48d7b41bec72216c864a9e47e36fdc73c4 - third_party/kernel

commit	cfa9ed48d7b41bec72216c864a9e47e36fdc73c4	[log] [tgz]
author	Eric Dumazet <edumazet@google.com>	Tue Aug 20 16:08:59 2024 +0000
committer	Michael Kochera <kochera@google.com>	Mon Sep 09 16:52:43 2024 +0000
tree	5cdeee7ac709bf38361ef758126f9938907fd499
parent	b64bfcf901b5978efa2212ca0d95b5ecc58e3fd4 [diff]

ipv6: prevent possible UAF in ip6_xmit()

[ Upstream commit 2d5ff7e339d04622d8282661df36151906d0e1c7 ]

If skb_expand_head() returns NULL, skb has been freed
and the associated dst/idev could also have been freed.

We must use rcu_read_lock() to prevent a possible UAF.

BUG=b/365056987
TEST=presubmit
RELEASE_NOTE=Fixes CVE-2024-44985 in the Linux kernel

cos-patch: security-high
Fixes: 0c9f227bee11 ("ipv6: use skb_expand_head in ip6_xmit")
Change-Id: Ie6ca08674c6ca304dbcbdef2b563e773dfa442bd
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kernel CVE Triage Automation <cloud-image-kernel-cve-triage-automation@prod.google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/80320
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Michael Kochera <kochera@google.com>

net/ipv6/ip6_output.c[diff]

1 file changed

tree: 5cdeee7ac709bf38361ef758126f9938907fd499