CVE-2022-48956

In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid use-after-free in ip6_fragment()

Blamed commit claimed rcureadlock() was held by ip6_fragment() callers.

It seems to not be always true, at least for UDP stack.

syzbot reported:

BUG: KASAN: use-after-free in ip6dstidev include/net/ip6fib.h:245 [inline] BUG: KASAN: use-after-free in ip6fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618

CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xd1/0x138 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:284 [inline] printreport+0x15e/0x45d mm/kasan/report.c:395 kasanreport+0xbf/0x1f0 mm/kasan/report.c:495 ip6dstidev include/net/ip6fib.h:245 [inline] ip6fragment+0x2724/0x2770 net/ipv6/ip6output.c:951 __ip6finishoutput net/ipv6/ip6output.c:193 [inline] ip6finishoutput+0x9a3/0x1170 net/ipv6/ip6output.c:206 NFHOOKCOND include/linux/netfilter.h:291 [inline] ip6output+0x1f1/0x540 net/ipv6/ip6output.c:227 dstoutput include/net/dst.h:445 [inline] ip6localout+0xb3/0x1a0 net/ipv6/outputcore.c:161 ip6sendskb+0xbb/0x340 net/ipv6/ip6output.c:1966 udpv6sendskb+0x82a/0x18a0 net/ipv6/udp.c:1286 udpv6pushpendingframes+0x140/0x200 net/ipv6/udp.c:1313 udpv6sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 inet6sendmsg+0x9d/0xe0 net/ipv6/afinet6.c:665 socksendmsgnosec net/socket.c:714 [inline] socksendmsg+0xd3/0x120 net/socket.c:734 sockwriteiter+0x295/0x3d0 net/socket.c:1108 callwriteiter include/linux/fs.h:2191 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x9ed/0xdd0 fs/readwrite.c:584 ksyswrite+0x1ec/0x250 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x39/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7fde3588c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 </TASK>

Allocated by task 7618: kasansavestack+0x22/0x40 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 __kasanslaballoc+0x82/0x90 mm/kasan/common.c:325 kasanslaballoc include/linux/kasan.h:201 [inline] slabpostallochook mm/slab.h:737 [inline] slaballocnode mm/slub.c:3398 [inline] slaballoc mm/slub.c:3406 [inline] __kmemcachealloclru mm/slub.c:3413 [inline] kmemcachealloc+0x2b4/0x3d0 mm/slub.c:3422 dstalloc+0x14a/0x1f0 net/core/dst.c:92 ip6dstalloc+0x32/0xa0 net/ipv6/route.c:344 ip6rtpcpualloc net/ipv6/route.c:1369 [inline] rt6makepcpuroute net/ipv6/route.c:1417 [inline] ip6polroute+0x901/0x1190 net/ipv6/route.c:2254 pollookupfunc include/net/ip6fib.h:582 [inline] fib6rulelookup+0x52e/0x6f0 net/ipv6/fib6rules.c:121 ip6routeoutputflagsnoref+0x2e6/0x380 net/ipv6/route.c:2625 ip6routeoutputflags+0x76/0x320 net/ipv6/route.c:2638 ip6routeoutput include/net/ip6route.h:98 [inline] ip6dstlookuptail+0x5ab/0x1620 net/ipv6/ip6output.c:1092 ip6dstlookupflow+0x90/0x1d0 net/ipv6/ip6output.c:1222 ip6skdstlookupflow+0x553/0x980 net/ipv6/ip6output.c:1260 udpv6sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 inet6sendmsg+0x9d/0xe0 net/ipv6/afinet6.c:665 socksendmsgnosec n ---truncated---