Re: [PATCH net v3] net: fix use-after-free when UDP GRO with shared fraglist

On Fri, 8 Jan 2021 11:18:39 +0100 Daniel Borkmann wrote: > On 1/8/21 3:28 AM, Dongseok Yi wrote: > > skbs in fraglist could be shared by a BPF filter loaded at TC. If TC > > writes, it will call skb_ensure_writable -> pskb_expand_head to create > > a private linear section for the head_skb. And the

Re: [PATCH net v3] net: fix use-after-free when UDP GRO with shared fraglist

On 1/8/21 3:28 AM, Dongseok Yi wrote: skbs in fraglist could be shared by a BPF filter loaded at TC. If TC writes, it will call skb_ensure_writable -> pskb_expand_head to create a private linear section for the head_skb. And then call skb_clone_fraglist -> skb_get on each skb in the fraglist. sk

[PATCH net v3] net: fix use-after-free when UDP GRO with shared fraglist

skbs in fraglist could be shared by a BPF filter loaded at TC. If TC writes, it will call skb_ensure_writable -> pskb_expand_head to create a private linear section for the head_skb. And then call skb_clone_fraglist -> skb_get on each skb in the fraglist. skb_segment_list overwrites part of the sk