| Description: | In the Linux kernel, the following vulnerability has been resolved:
net: fix __dst_negative_advice() race __dst_negative_advice() does not
enforce proper RCU rules when sk->dst_cache must be cleared, leading
to possible UAF. RCU rules are that we must first clear
sk->sk_dst_cache, then call dst_release(old_dst). Note that
sk_dst_reset(sk) is implementing this protocol correctly, while
__dst_negative_advice() uses the wrong order. Given that
ip6_negative_advice() has special logic against RTF_CACHE, this means
each of the three ->negative_advice() existing methods must perform
the sk_dst_reset() themselves. Note the check against NULL dst is
centralized in __dst_negative_advice(), there is no need to duplicate
it in various callbacks. Many thanks to Clement Lecigne for tracking
this issue. This old bug became visible after the blamed commit, using
UDP sockets.
|
