ipv6: fix possible UAF in ip6_finish_output2()

[ Upstream commit da273b377ae0d9bd255281ed3c2adb228321687b ]

If skb_expand_head() returns NULL, skb has been freed
and associated dst/idev could also have been freed.

We need to hold rcu_read_lock() to make sure the dst and
associated idev are alive.

Fixes: 5796015fa968 ("ipv6: allocate enough headroom in ip6_finish_output2()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240820160859.3786976-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index d44ddce4c9f4dd70f38f7b0e819ad022c09702ab..8778431acffdad17e8068d5969a27b85e0cf424e 100644 (file)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -70,11 +70,15 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
 
        /* Be paranoid, rather than too clever. */
        if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
+               /* Make sure idev stays alive */
+               rcu_read_lock();
                skb = skb_expand_head(skb, hh_len);
                if (!skb) {
                        IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+                       rcu_read_unlock();
                        return -ENOMEM;
                }
+               rcu_read_unlock();
        }
 
        hdr = ipv6_hdr(skb);