ipv6: prevent possible UAF in ip6_xmit()

Eric Dumazet · kuba-moo · commit 2d5ff7e339d0 · 2024-08-21T17:35:49.000-07:00
If skb_expand_head() returns NULL, skb has been freed and the associated dst/idev could also have been freed. We must use rcu_read_lock() to prevent a possible UAF. Fixes: 0c9f227 ("ipv6: use skb_expand_head in ip6_xmit") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Vasily Averin <vasily.averin@linux.dev> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20240820160859.3786976-4-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
@@ -287,11 +287,15 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
 		head_room += opt->opt_nflen + opt->opt_flen;
 
 	if (unlikely(head_room > skb_headroom(skb))) {
+		/* Make sure idev stays alive */
+		rcu_read_lock();
 		skb = skb_expand_head(skb, head_room);
 		if (!skb) {
 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+			rcu_read_unlock();
 			return -ENOBUFS;
 		}
+		rcu_read_unlock();
 	}
 
 	if (opt) {

Original file line number	Diff line number	Diff line change
`@@ -287,11 +287,15 @@ int ip6_xmit(const struct sock sk, struct sk_buff skb, struct flowi6 *fl6,`
`287`	`287`	`head_room += opt->opt_nflen + opt->opt_flen;`
`288`	`288`
`289`	`289`	`if (unlikely(head_room > skb_headroom(skb))) {`
	`290`	`+ /* Make sure idev stays alive */`
	`291`	`+ rcu_read_lock();`
`290`	`292`	`skb = skb_expand_head(skb, head_room);`
`291`	`293`	`if (!skb) {`
`292`	`294`	`IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);`
	`295`	`+ rcu_read_unlock();`
`293`	`296`	`return -ENOBUFS;`
`294`	`297`	`}`
	`298`	`+ rcu_read_unlock();`
`295`	`299`	`}`
`296`	`300`
`297`	`301`	`if (opt) {`