| Message ID | 20240905193240.17565-1-kuniyu@amazon.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | af_unix: Correct manage_oob() when OOB follows a consumed OOB. | expand |
Hello: This series was applied to netdev/net-next.git (main) by Jakub Kicinski <kuba@kernel.org>: On Thu, 5 Sep 2024 12:32:36 -0700 you wrote: > Recently syzkaller reported UAF of OOB skb. > > The bug was introduced by commit 93c99f21db36 ("af_unix: Don't stop > recv(MSG_DONTWAIT) if consumed OOB skb is at the head.") but uncovered > by another recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() > for OOB skb."). > > [...] Here is the summary with links: - [v1,net-next,1/4] af_unix: Remove single nest in manage_oob(). https://git.kernel.org/netdev/net-next/c/579770dd8985 - [v1,net-next,2/4] af_unix: Rename unlinked_skb in manage_oob(). https://git.kernel.org/netdev/net-next/c/beb2c5f19b6a - [v1,net-next,3/4] af_unix: Move spin_lock() in manage_oob(). https://git.kernel.org/netdev/net-next/c/a0264a9f51fe - [v1,net-next,4/4] af_unix: Don't return OOB skb in manage_oob(). https://git.kernel.org/netdev/net-next/c/5aa57d9f2d53 You are awesome, thank you!
Recently syzkaller reported UAF of OOB skb. The bug was introduced by commit 93c99f21db36 ("af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.") but uncovered by another recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb."). This should be targeted for net.git, but it will introduce conflicts. Given it's now rc6, I'll target this for net-next and later send 8594d9b85c07 and this series for stable. [0]: https://lore.kernel.org/netdev/00000000000083b05a06214c9ddc@google.com/ Kuniyuki Iwashima (4): af_unix: Remove single nest in manage_oob(). af_unix: Rename unlinked_skb in manage_oob(). af_unix: Move spin_lock() in manage_oob(). af_unix: Don't return OOB skb in manage_oob(). net/unix/af_unix.c | 61 ++++++++++--------- tools/testing/selftests/net/af_unix/msg_oob.c | 23 +++++++ 2 files changed, 56 insertions(+), 28 deletions(-)