Description
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
Product status
96d1c81e6a0478535342dff6c730adb076cd84e8 (git) before cb3d6efa78460e6d50bf68806d0db66265709f64
96d1c81e6a0478535342dff6c730adb076cd84e8 (git) before 9649d051e54413049c009638ec1dc23962c884a4
96d1c81e6a0478535342dff6c730adb076cd84e8 (git) before eec8a1b18a79600bd4419079dc0026c1db72a830
96d1c81e6a0478535342dff6c730adb076cd84e8 (git) before 2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c
96d1c81e6a0478535342dff6c730adb076cd84e8 (git) before 424e95d62110cdbc8fd12b40918f37e408e35a92
6.4
Any version before 6.4
6.6.131 (semver)
6.12.80 (semver)
6.18.21 (semver)
6.19.11 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/cb3d6efa78460e6d50bf68806d0db66265709f64
git.kernel.org/...c/9649d051e54413049c009638ec1dc23962c884a4
git.kernel.org/...c/eec8a1b18a79600bd4419079dc0026c1db72a830
git.kernel.org/...c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c
git.kernel.org/...c/424e95d62110cdbc8fd12b40918f37e408e35a92