From patchwork Tue Jun  6 23:01:19 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: William Tu <witu@nvidia.com>
X-Patchwork-Id: 1791458
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
 header.s=selector2 header.b=JVG97j2+;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4QbQwV4RFnz20Q8
	for <incoming@patchwork.ozlabs.org>; Wed,  7 Jun 2023 09:02:18 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1q6fgl-0002D6-Jm; Tue, 06 Jun 2023 23:02:07 +0000
Received: from mail-dm6nam12on2088.outbound.protection.outlook.com
 ([40.107.243.88] helo=NAM12-DM6-obe.outbound.protection.outlook.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <witu@nvidia.com>) id 1q6fgf-00021r-CM
 for kernel-team@lists.ubuntu.com; Tue, 06 Jun 2023 23:02:01 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=J4Fr+v9lvOJMGycfTpoEBIxpaKFJwLQGVv7KkSp+PZAXIePmBeUX7rfOjUcqQf97N8md2zGG9VjWdzjJxMca5N5mVzrwXV58du9NzWFn/4u2/D3NvoTYu7OdFeaCIGW9QST5MrUH327nLsFB0U17Y0R8V7j4ioNvbhff/y0KEqYdb4eeMQC6L91merH7pH5vWtIdDYHSnVTz2bwNAlROZ9Lx+OsEDLPcWed4Fx2x93hfwCRIYRGqoaadnBP1KDgbkWU9yKAy1XNOOvUoqkEsD0NKGm+CRl6Xyd3kvOBL8cI66IEfjPikuHhWF7oICXeeW0Sc1Isgc5+Aw7Ye6aIiKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=jE8iIm6TBNrOJcGL5pvFd8wNVTBJ9ZarCH+i+4OkzxY=;
 b=R4+VAjcTr8O4UTERVVoP55pcWhcLfxDPA///1lkxYztTBfb1Cmit4XG48CULWHGKZ9SMNBVtrC4S0eaRRBN6dZfBoLM+812dWhdfAO2w2afglxBIg97lbmOAORte5RZgvXnlso/mjoZPJYjBZ3GDE/CtbOF7HEoj3m82A4J2ENCot4tTmdyagLoEM6NKIH+qin5CxTsYu5ngmbHz6Lvwx2nsrkkydG5sBUtyM0nYDfQWO6ySOCdNqnDF6mboLFZepqbGZlHXMLF+PATXiqP8tUnUL4wfRQKsEmyYU2qNLzLNoBmIVidu3hh9Fr1NMGFg4WF50AW8FsOp8c4cQs+LaQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.160) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=jE8iIm6TBNrOJcGL5pvFd8wNVTBJ9ZarCH+i+4OkzxY=;
 b=JVG97j2+HGVRJir6L8VUJ++CK233vi30yM2dAqyXfkc9Mc2lFxqbySfie7Bm/HDzEdMHMcD2GczJ85MDLayGmM9WGO/C9HPMlU6ntKTG4wSKp/0WS8mnWr1LXr4uL0ek2+AK3396AkC7IH0LWcREMMKH632540dyH3FquzsquIPV5tKi9qPcG807n5fsJofYRWHc11Yo28el65rgTAkgpnE4v1fUygVaqg+j/00HGuoioAew2+poS09ntF22TQGpl6rHImO2K6j4BunFdTCFUh+u5f5cSSKzA8MVu8BSGdXqihlHAlOsl37LrECWGyc45wgNoq0sjiHD+Z0krjy63w==
Received: from MW4PR03CA0168.namprd03.prod.outlook.com (2603:10b6:303:8d::23)
 by DS0PR12MB8270.namprd12.prod.outlook.com (2603:10b6:8:fe::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.33; Tue, 6 Jun
 2023 23:01:58 +0000
Received: from MWH0EPF000971E8.namprd02.prod.outlook.com
 (2603:10b6:303:8d:cafe::e4) by MW4PR03CA0168.outlook.office365.com
 (2603:10b6:303:8d::23) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.33 via Frontend
 Transport; Tue, 6 Jun 2023 23:01:58 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.160 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.160) by
 MWH0EPF000971E8.mail.protection.outlook.com (10.167.243.68) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6477.13 via Frontend Transport; Tue, 6 Jun 2023 23:01:57 +0000
Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com
 (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.5; Tue, 6 Jun 2023
 16:01:43 -0700
Received: from rnnvmail205.nvidia.com (10.129.68.10) by rnnvmail203.nvidia.com
 (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.37; Tue, 6 Jun 2023
 16:01:43 -0700
Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com
 (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.37 via Frontend
 Transport; Tue, 6 Jun 2023 16:01:43 -0700
Received: from sw-mtx-002.mtx.labs.mlnx (sw-mtx-002.mtx.labs.mlnx
 [10.9.151.106])
 by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 356N1LCX011133;
 Wed, 7 Jun 2023 02:01:40 +0300
From: William Tu <witu@nvidia.com>
To: <kernel-team@lists.ubuntu.com>
Subject: [SRU][J:linux-bluefield][PATCH v3 10/11] net/sched: clear actions
 pointer in miss cookie init fail
Date: Wed, 7 Jun 2023 02:01:19 +0300
Message-ID: <20230606230120.407292-11-witu@nvidia.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230606230120.407292-1-witu@nvidia.com>
References: <20230606230120.407292-1-witu@nvidia.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWH0EPF000971E8:EE_|DS0PR12MB8270:EE_
X-MS-Office365-Filtering-Correlation-Id: 52442f58-c92d-47d1-7518-08db66e20726
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 F01iRQRK38FuCPETPf/VAn/jhDwQ1YXFW0T8peO4/E5GzHIJXYw1qnz9gZtzE95WiGqwP0IeAulYXvlygkEu1GqM2H1n8U6HDDMNDG0ID7FLnVuG1oDvg97ay39jlDv2kyRs14ueXVFh6TnilAgNZDEhkLx1JlnMaKOGOHcK8VoIevGsWYeVDzo8FIdrle5dfqdpoEhtVrNFBZ6sFf1deOygacKkVIvk+kct9/9Y4bFm9abh+kR/n46M2BbZAkFcaueO5p9qCGo2+pPqPzvL2FIZM93QJi9kIHnBKFNH8zAvop4Nhgq0QNBLNTvYAMfWEb0KURMdkVnp7sjuQVY8RQ+1enek8g94Bv65h2bw1kC+5HCpWbfS3InPQas3soi2nQZpuhsFR/MnRoUq5/HN0eAYaq85+lOo6Izsx3Chsa3xzrQUDjROWPjY6vDmO9EoEIxhMvcOAlIw5J7bCnSpHooSjITEll3WhzAImUS6R8MmzjLIFblVMiEXrt82JIsc+u5eRfqCuYagbtw/6L8PEnOj5xVeaA68cRWsDVnNOe00niYN3F6TFMvNV0zL843DTLmSSmB9ZwnQXkaVX+N8tteclCO8IQShpU1mVBPAOKCmt2uzK/iIbSkGcq+4+XPuh47x2HIWgEzQv2d0falXx5pbUiZ/gZnSdBVDGLsJQV8KP5W5a/gOJuOY04QwElIVeDGtwzfP49AWJvf1xziSgDx7m5T17Q0ABhkoIPWtO0X4pfEnDvRvWfFzLbGPGQlpXzkUG8YxqzZmbFuTAqdBEw==
X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1;
 SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE;
 SFS:(13230028)(4636009)(376002)(396003)(39860400002)(136003)(346002)(451199021)(36840700001)(40470700004)(46966006)(86362001)(47076005)(83380400001)(966005)(336012)(478600001)(40480700001)(82740400003)(40460700003)(8936002)(8676002)(316002)(41300700001)(356005)(54906003)(7636003)(70586007)(70206006)(6916009)(5660300002)(4326008)(6666004)(36756003)(2906002)(82310400005)(36860700001)(26005)(107886003)(186003)(1076003)(2616005);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jun 2023 23:01:57.0722 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 52442f58-c92d-47d1-7518-08db66e20726
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 MWH0EPF000971E8.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB8270
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: dann.frazier@canonical.com, paulb@nvidia.com, vlad@nvidia.com,
 yifeid@nvidia.com, bodong@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pedro Tammela <pctammela@mojatatu.com>

BugLink: https://bugs.launchpad.net/bugs/2012571

Palash reports a UAF when using a modified version of syzkaller[1].

When 'tcf_exts_miss_cookie_base_alloc()' fails in 'tcf_exts_init_ex()'
a call to 'tcf_exts_destroy()' is made to free up the tcf_exts
resources.
In flower, a call to '__fl_put()' when 'tcf_exts_init_ex()' fails is made;
Then calling 'tcf_exts_destroy()', which triggers an UAF since the
already freed tcf_exts action pointer is lingering in the struct.

Before the offending patch, this was not an issue since there was no
case where the tcf_exts action pointer could linger. Therefore, restore
the old semantic by clearing the action pointer in case of a failure to
initialize the miss_cookie.

[1] https://github.com/cmu-pasta/linux-kernel-enriched-corpus

v1->v2: Fix compilation on configs without tc actions (kernel test robot)

Fixes: 80cd22c35c90 ("net/sched: cls_api: Support hardware miss to tc action")
Reported-by: Palash Oswal <oswalpalash@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 338469d677e5d426f5ada88761f16f6d2c7c1981)
Signed-off-by: William Tu <witu@nvidia.com>
---
 net/sched/cls_api.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 9848eb41ec08..c5b2a45abe18 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -3202,6 +3202,9 @@ int tcf_exts_init_ex(struct tcf_exts *exts, struct net *net, int action,
 
 err_miss_alloc:
 	tcf_exts_destroy(exts);
+#ifdef CONFIG_NET_CLS_ACT
+	exts->actions = NULL;
+#endif
 	return err;
 }
 EXPORT_SYMBOL(tcf_exts_init_ex);