[net,0/3] fix slab-use-after-free in decode_session6

Message ID	20230710094053.3302181-1-shaozhengchao@huawei.com (mailing list archive)
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2C8DC8D0 for <netdev@vger.kernel.org>; Mon, 10 Jul 2023 09:34:58 +0000 (UTC) From: Zhengchao Shao <shaozhengchao@huawei.com> To: <netdev@vger.kernel.org>, <steffen.klassert@secunet.com>, <herbert@gondor.apana.org.au>, <davem@davemloft.net>, <dsahern@kernel.org>, <edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com> CC: <weiyongjun1@huawei.com>, <yuehaibing@huawei.com>, <shaozhengchao@huawei.com> Subject: [PATCH net 0/3] fix slab-use-after-free in decode_session6 Date: Mon, 10 Jul 2023 17:40:50 +0800 Message-ID: <20230710094053.3302181-1-shaozhengchao@huawei.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	fix slab-use-after-free in decode_session6 \| expand [net,0/3] fix slab-use-after-free in decode_session6 [net,1/3] xfrm: fix slab-use-after-free in decode_session6 [net,2/3] ip6_vti: fix slab-use-after-free in decode_session6 [net,3/3] ip_vti: fix potential slab-use-after-free in decode_session6

Message ID

20230710094053.3302181-1-shaozhengchao@huawei.com (mailing list archive)

Headers

From: Zhengchao Shao <shaozhengchao@huawei.com>
To: <netdev@vger.kernel.org>, <steffen.klassert@secunet.com>,
	<herbert@gondor.apana.org.au>, <davem@davemloft.net>, <dsahern@kernel.org>,
	<edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>
CC: <weiyongjun1@huawei.com>, <yuehaibing@huawei.com>,
	<shaozhengchao@huawei.com>
Subject: [PATCH net 0/3] fix slab-use-after-free in decode_session6
Date: Mon, 10 Jul 2023 17:40:50 +0800
Message-ID: <20230710094053.3302181-1-shaozhengchao@huawei.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

fix slab-use-after-free in decode_session6 | expand

Message

shaozhengchao July 10, 2023, 9:40 a.m. UTC

When net device is configured with the qdisc of the sfb type, the cb
field of the SKB is used in both enqueue and decode session of packets,
and the fields overlap. When enqueuing packets, the cb field of skb is
used as a hash array. Also it is used as the header offset when decoding
session of skb. Therefore, it will cause slab-use-after-free in
decode_session6.
The cb field in the skb should not be used when sending packets. Set the
cb field of skb to 0 before decoding skb.

Zhengchao Shao (3):
  xfrm: fix slab-use-after-free in decode_session6
  ip6_vti: fix slab-use-after-free in decode_session6
  ip_vti: fix potential slab-use-after-free in decode_session6

 net/ipv4/ip_vti.c              | 4 ++--
 net/ipv6/ip6_vti.c             | 4 ++--
 net/xfrm/xfrm_interface_core.c | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

Comments

Steffen Klassert July 17, 2023, 7:42 a.m. UTC | #1

On Mon, Jul 10, 2023 at 05:40:50PM +0800, Zhengchao Shao wrote:
> When net device is configured with the qdisc of the sfb type, the cb
> field of the SKB is used in both enqueue and decode session of packets,
> and the fields overlap. When enqueuing packets, the cb field of skb is
> used as a hash array. Also it is used as the header offset when decoding
> session of skb. Therefore, it will cause slab-use-after-free in
> decode_session6.
> The cb field in the skb should not be used when sending packets. Set the
> cb field of skb to 0 before decoding skb.
> 
> Zhengchao Shao (3):
>   xfrm: fix slab-use-after-free in decode_session6
>   ip6_vti: fix slab-use-after-free in decode_session6
>   ip_vti: fix potential slab-use-after-free in decode_session6

Series applied, thanks a lot!