• Vladislav Efanov's avatar
    udp6: Fix race condition in udp6_sendmsg & connect · 448a5ce1
    Vladislav Efanov authored
    Syzkaller got the following report:
    BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018
    Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255
    
    The function sk_setup_caps (called by ip6_sk_dst_store_flow->
    ip6_dst_store) referenced already freed memory as this memory was
    freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow->
    sk_dst_check.
    
              task1 (connect)              task2 (udp6_sendmsg)
            sk_setup_caps->sk_dst_set |
                                      |  sk_dst_check->
                                      |      sk_dst_set
                                      |      dst_release
            sk_setup_caps references  |
            to already freed dst_entry|
    
    The reason for this race condition is: sk_setup_caps() keeps using
    the dst after transferring the ownership to the dst cache.
    
    Found by Linux Verification Center (linuxtesting.org) with syzkaller.
    
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: default avatarVladislav Efanov <VEfanov@ispras.ru>
    Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    448a5ce1
sock.c 97.9 KB