Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 1ca6eff3 authored by Ben Hutchings's avatar Ben Hutchings Committed by shaohanlin
Browse files

tcp: Clear sk_send_head after purging the write queue 



Denis Andzakovic discovered a potential use-after-free in older kernel
versions, using syzkaller.  tcp_write_queue_purge() frees all skbs in
the TCP write queue and can leave sk->sk_send_head pointing to freed
memory.  tcp_disconnect() clears that pointer after calling
tcp_write_queue_purge(), but tcp_connect() does not.  It is
(surprisingly) possible to add to the write queue between
disconnection and reconnection, so this needs to be done in both
places.

This bug was introduced by backports of commit 7f582b248d0a ("tcp:
purge write queue in tcp_connect_init()") and does not exist upstream
because of earlier changes in commit 75c119afe14f ("tcp: implement
rb-tree based retransmit queue").  The latter is a major change that's
not suitable for stable.

Reported-by: default avatarDenis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
Bisected-by: default avatarSalvatore Bonaccorso <carnil@debian.org>
Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
Cc: <stable@vger.kernel.org> # before 4.15
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 143009752
(cherry picked from commit e99e7745d03fc50ba7c5b7c91c17294fee2d5991)
Signed-off-by: default avatarMatthias Maennich <maennich@google.com>

Change-Id: Ie325f18e7fe1c327a45e149034b90d2e74922263
(cherry picked from commit 3ed1460d6b17326093eb657afa89a7274e444a32)
parent 0a17516b
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment