ipv6: fix possible use-after-free in ip6_xmit()

commit bbd6528d28c1b8e80832b3b018ec402b6f5c3215 upstream. In the unlikely case ip6_xmit() has to call skb_realloc_headroom(), we need to call skb_set_owner_w() before consuming original skb, otherwise we risk a use-after-free. Bring IPv6 in line with what we do in IPv4 to fix this. Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Change-Id: Ib8308a54ddf72ef170dfe51255f2981e58c43760 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Eric Dumazet <edumazet@google.com> 2018-09-14 12:02:31 -0700
committer: Moyster <oysterized@gmail.com> 2019-05-03 19:24:03 +0200
commit: 4ef894261582825de09b0c14f2c344c71a81e74c (patch)
tree: 175b85acc8c52aa76220421bb2b3a7e4b91502fd /net/ipv6
parent: d1b5e22588c61060bf83d19bf886e4b57212630a (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 127f9bae2..69f2b259e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -208,9 +208,10 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
 				kfree_skb(skb);
 				return -ENOBUFS;
 			}
+			if (skb->sk)
+				skb_set_owner_w(skb2, skb->sk);
 			consume_skb(skb);
 			skb = skb2;
-			skb_set_owner_w(skb, sk);
 		}
 		if (opt->opt_flen)
 			ipv6_push_frag_opts(skb, opt, &proto);
author	Eric Dumazet <edumazet@google.com>	2018-09-14 12:02:31 -0700
committer	Moyster <oysterized@gmail.com>	2019-05-03 19:24:03 +0200
commit	4ef894261582825de09b0c14f2c344c71a81e74c (patch)
tree	175b85acc8c52aa76220421bb2b3a7e4b91502fd /net/ipv6
parent	d1b5e22588c61060bf83d19bf886e4b57212630a (diff)