Overview
- Description
- In the Linux kernel, the following vulnerability has been resolved: tipc: re-fetch skb cb after tipc_msg_validate As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate().
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- CWE-416
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D0FB1AF1-0A0B-4419-B25F-C61F17380E18",
"versionEndExcluding": "5.10.158",
"versionStartIncluding": "5.5"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0DC20DB6-73C1-4465-B931-117BFB8EBB02",
"versionEndExcluding": "5.15.82",
"versionStartIncluding": "5.11"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D6D56E90-F3EE-413D-B3E2-B518932F0C7D",
"versionEndExcluding": "6.0.12",
"versionStartIncluding": "5.16"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "35B26BE4-43A6-4A36-A7F6-5B3F572D9186"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3FFFB0B3-930D-408A-91E2-BAE0C2715D80"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8535320E-A0DB-4277-800E-D0CE5BBA59E8"
}
],
"operator": "OR"
}
]
}
]