CVE-2021-47162

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: skb_linearize the head skb when reassembling msgs<br /> <br /> It&amp;#39;s not a good idea to append the frag skb to a skb&amp;#39;s frag_list if<br /> the frag_list already has skbs from elsewhere, such as this skb was<br /> created by pskb_copy() where the frag_list was cloned (all the skbs<br /> in it were skb_get&amp;#39;ed) and shared by multiple skbs.<br /> <br /> However, the new appended frag skb should have been only seen by the<br /> current skb. Otherwise, it will cause use after free crashes as this<br /> appended frag skb are seen by multiple skbs but it only got skb_get<br /> called once.<br /> <br /> The same thing happens with a skb updated by pskb_may_pull() with a<br /> skb_cloned skb. Li Shuang has reported quite a few crashes caused<br /> by this when doing testing over macvlan devices:<br /> <br /> [] kernel BUG at net/core/skbuff.c:1970!<br /> [] Call Trace:<br /> [] skb_clone+0x4d/0xb0<br /> [] macvlan_broadcast+0xd8/0x160 [macvlan]<br /> [] macvlan_process_broadcast+0x148/0x150 [macvlan]<br /> [] process_one_work+0x1a7/0x360<br /> [] worker_thread+0x30/0x390<br /> <br /> [] kernel BUG at mm/usercopy.c:102!<br /> [] Call Trace:<br /> [] __check_heap_object+0xd3/0x100<br /> [] __check_object_size+0xff/0x16b<br /> [] simple_copy_to_iter+0x1c/0x30<br /> [] __skb_datagram_iter+0x7d/0x310<br /> [] __skb_datagram_iter+0x2a5/0x310<br /> [] skb_copy_datagram_iter+0x3b/0x90<br /> [] tipc_recvmsg+0x14a/0x3a0 [tipc]<br /> [] ____sys_recvmsg+0x91/0x150<br /> [] ___sys_recvmsg+0x7b/0xc0<br /> <br /> [] kernel BUG at mm/slub.c:305!<br /> [] Call Trace:<br /> [] <br /> [] kmem_cache_free+0x3ff/0x400<br /> [] __netif_receive_skb_core+0x12c/0xc40<br /> [] ? kmem_cache_alloc+0x12e/0x270<br /> [] netif_receive_skb_internal+0x3d/0xb0<br /> [] ? get_rx_page_info+0x8e/0xa0 [be2net]<br /> [] be_poll+0x6ef/0xd00 [be2net]<br /> [] ? irq_exit+0x4f/0x100<br /> [] net_rx_action+0x149/0x3b0<br /> <br /> ...<br /> <br /> This patch is to fix it by linearizing the head skb if it has frag_list<br /> set in tipc_buf_append(). Note that we choose to do this before calling<br /> skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can<br /> not just drop the frag_list either as the early time.