CVE-2022-49017

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: re-fetch skb cb after tipc_msg_validate<br /> <br /> As the call trace shows, the original skb was freed in tipc_msg_validate(),<br /> and dereferencing the old skb cb would cause an use-after-free crash.<br /> <br /> BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]<br /> Call Trace:<br /> <br /> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]<br /> tipc_crypto_rcv+0xd32/0x1ec0 [tipc]<br /> tipc_rcv+0x744/0x1150 [tipc]<br /> ...<br /> Allocated by task 47078:<br /> kmem_cache_alloc_node+0x158/0x4d0<br /> __alloc_skb+0x1c1/0x270<br /> tipc_buf_acquire+0x1e/0xe0 [tipc]<br /> tipc_msg_create+0x33/0x1c0 [tipc]<br /> tipc_link_build_proto_msg+0x38a/0x2100 [tipc]<br /> tipc_link_timeout+0x8b8/0xef0 [tipc]<br /> tipc_node_timeout+0x2a1/0x960 [tipc]<br /> call_timer_fn+0x2d/0x1c0<br /> ...<br /> Freed by task 47078:<br /> tipc_msg_validate+0x7b/0x440 [tipc]<br /> tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]<br /> tipc_crypto_rcv+0xd32/0x1ec0 [tipc]<br /> tipc_rcv+0x744/0x1150 [tipc]<br /> <br /> This patch fixes it by re-fetching the skb cb from the new allocated skb<br /> after calling tipc_msg_validate().