| Message ID | 20240925013857.98685-1-koichiro.den@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-44987 | expand |
Acked-by: Mehmet Basaran <mehmet.basaran@canonical.com> Koichiro Den <koichiro.den@canonical.com> writes: > [Impact] > > ipv6: prevent UAF in ip6_send_skb() > > syzbot reported an UAF in ip6_send_skb() [1] > > After ip6_local_out() has returned, we no longer can safely > dereference rt, unless we hold rcu_read_lock(). > > A similar issue has been fixed in commit > a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()") > > Another potential issue in ip6_finish_output2() is handled in a > separate patch. > > [1] See the original commit message: > faa389b2fbaa ("ipv6: prevent UAF in ip6_send_skb()") > > [Fix] > > Noble: Clean cherry-pick > Jammy: fixed via stable > Focal: fixed via stable > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not affected > > [Test Case] > > Compile and boot tested > > [Where problems could occur] > > This fix addresses an issue in ipv6 stack. Without the fix, users could > potentially encounter unpredicted system behavior or a system crash. > > > Eric Dumazet (1): > ipv6: prevent UAF in ip6_send_skb() > > net/ipv6/ip6_output.c | 2 ++ > 1 file changed, 2 insertions(+) > > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Koichiro Den <koichiro.den@canonical.com> writes: > [Impact] > > ipv6: prevent UAF in ip6_send_skb() > > syzbot reported an UAF in ip6_send_skb() [1] > > After ip6_local_out() has returned, we no longer can safely > dereference rt, unless we hold rcu_read_lock(). > > A similar issue has been fixed in commit > a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()") > > Another potential issue in ip6_finish_output2() is handled in a > separate patch. > > [1] See the original commit message: > faa389b2fbaa ("ipv6: prevent UAF in ip6_send_skb()") > > [Fix] > > Noble: Clean cherry-pick > Jammy: fixed via stable > Focal: fixed via stable > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not affected > > [Test Case] > > Compile and boot tested > > [Where problems could occur] > > This fix addresses an issue in ipv6 stack. Without the fix, users could > potentially encounter unpredicted system behavior or a system crash. > > > Eric Dumazet (1): > ipv6: prevent UAF in ip6_send_skb() > > net/ipv6/ip6_output.c | 2 ++ > 1 file changed, 2 insertions(+) > Acked-by: Chris Chiu <chris.chiu@canonical.com>
[Impact] ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] See the original commit message: faa389b2fbaa ("ipv6: prevent UAF in ip6_send_skb()") [Fix] Noble: Clean cherry-pick Jammy: fixed via stable Focal: fixed via stable Bionic: fix sent to esm ML Xenial: fix sent to esm ML Trusty: not affected [Test Case] Compile and boot tested [Where problems could occur] This fix addresses an issue in ipv6 stack. Without the fix, users could potentially encounter unpredicted system behavior or a system crash. Eric Dumazet (1): ipv6: prevent UAF in ip6_send_skb() net/ipv6/ip6_output.c | 2 ++ 1 file changed, 2 insertions(+)