Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg

[syzbot] KASAN: use-after-free Read in tipc_recvmsg · syzbot <hidden> · 2021-07-18
Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg · Pavel Skripkin <hidden> · 2021-07-23
Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg · Xin Long <lucien.xin@gmail.com> · 2021-07-23
Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg · Pavel Skripkin <hidden> · 2021-07-23
Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg · Pavel Skripkin <hidden> · 2021-07-23
Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg · syzbot <hidden> · 2021-07-23
Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg · syzbot <hidden> · 2021-07-23

From: Pavel Skripkin <hidden>
Date: 2021-07-23 16:53:01
Also in: lkml, netdev

On Fri, 23 Jul 2021 12:41:46 -0400
Xin Long [off-list ref] wrote:

quoted hunk ↗ jump to hunk

a fix already posted in tipc-discussion:

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 9b0b311c7ec1..b0dd183a4dbc 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c

@@ -1973,10 +1973,12 @@ static int tipc_recvmsg(struct socket *sock,

struct msghdr *m,
                tipc_node_distr_xmit(sock_net(sk), &xmitq);
        }

-       if (!skb_cb->bytes_read)
-               tsk_advance_rx_queue(sk);
+       if (skb_cb->bytes_read)
+               goto exit;
+
+       tsk_advance_rx_queue(sk);

-       if (likely(!connected) || skb_cb->bytes_read)
+       if (likely(!connected))
                goto exit;

Ok, thank you for informing


With regards,
Pavel Skripkin

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help