On Wed, 7 Oct 2020 21:12:50 -0700 Cong Wang wrote:
> skb_unshare() drops a reference count on the old skb unconditionally,
> so in the failure case, we end up freeing the skb twice here.
> And because the skb is allocated in fclone and cloned by caller
> tipc_msg_reassemble(), the consequence is actually freeing the
> original skb too, thus triggered the UAF by syzbot.
>
> Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy().
>
> Fixes: ff48b6222e65 ("tipc: use skb_unshare() instead in tipc_buf_append()")
> Reported-and-tested-by: syzbot+e96a7ba46281824cc...@syzkaller.appspotmail.com
> Cc: Xin Long <lucien....@gmail.com>
> Cc: Jon Maloy <jma...@redhat.com>
> Cc: Ying Xue <ying....@windriver.com>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Applied and queued for stable, thank you!
