From patchwork Thu Aug 3 18:43:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1816640 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=QJgwJ0pN; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RGyRX5m6Wz1yds for ; Fri, 4 Aug 2023 04:43:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qRdIZ-0008Ml-I3; Thu, 03 Aug 2023 18:43:47 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qRdIX-0008M2-Iz for kernel-team@lists.ubuntu.com; Thu, 03 Aug 2023 18:43:45 +0000 Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 324473F7B8 for ; Thu, 3 Aug 2023 18:43:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1691088224; bh=HKVDgSWQPYOfT7W7BciN0WdJ65INuDM8EJB2iB4ufGY=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QJgwJ0pNtKPpvelVInC8klRYh0ByvxKF7+rkL1hTOCLWQVxgSv3wXjqQbOHFof6Uz Noc1UD63Fg8TGJ7WXeMg74wizD4UOZGBTEqCcHsT1nJsf9g3gPsiC+ubqoL7lxcNXo tVCuBxD/AWtWQEJG//f9EXdamFycsXMdQQsaozewjnnjHW5ju1OKEbg6on3Y8HpJha Am7FZkdr+ePoTkUDc4bPNbuCFdedOSRo32wKjaAvFs6WAM0bUq2gMgxzQPoH34dp8y O+mDINumpcgeQ/gFMHs2DJ9F+d9jLGjFuvN9I9Aa0LWxGzMSZ/2GcCUaKf0XkznRbo JlGUgwZ7XmfQg== Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-63d10736c4aso12242626d6.3 for ; Thu, 03 Aug 2023 11:43:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691088222; x=1691693022; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HKVDgSWQPYOfT7W7BciN0WdJ65INuDM8EJB2iB4ufGY=; b=e/aGggGnsFITlkBaFm1Pe6SjfaITubgx795q9sPFCI+ao+o+kM4G4q+AmZaDZtUgKz tjZROIfJqTKIZPHL4zcJK6y5IDXVG1rEXHYVmQOX7lm7dKokm1E3xZtsoIF9Nzag77gF q3h0tzUGRyNRnfakF1EWX3ZuUBZoJ9z73OioAirUpfjx99OOrBL5Q5MfeSynassDDbqs lPLBg8Bfj6i7u2ta4oVqGy7tjnK/CPs35jRIr6fTL/e0QzRbEmH0G01NITvuba1SXM1e tutQmpT+orF9tc1jyhO3seCmgYEcKkdEzxhlO5nhyWEG1cOVDd74FQBoOvNoGu2fjcEj ofUg== X-Gm-Message-State: ABy/qLZ1ncplV57yX0XxO30M448AHOftM9S8kUDRxcm2zjdlfdMhWg0X Zkts8KFXeRjPNOMg0Rk0vZa8qFe0Ctci0NPOH7ht/HTkew56MYUoDRwgtPJeD86ooxlzOutkwlE HqRkLZTOpopLLkfC8IbCW2m+wY6FCH53wPNwmzuZraZGEXfOm1w== X-Received: by 2002:a05:6214:560a:b0:63c:fd68:730 with SMTP id mg10-20020a056214560a00b0063cfd680730mr14210850qvb.54.1691088222276; Thu, 03 Aug 2023 11:43:42 -0700 (PDT) X-Google-Smtp-Source: APBJJlEK4iAdx/mfz1dC+D1iQJJX1yhs7S6DxWQZgmdsp9+vOSM9KfLTorSDN5v6Mq6pEUZHr5X7GQ== X-Received: by 2002:a05:6214:560a:b0:63c:fd68:730 with SMTP id mg10-20020a056214560a00b0063cfd680730mr14210843qvb.54.1691088221974; Thu, 03 Aug 2023 11:43:41 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:4cbe:df6f:d612:fbf3]) by smtp.gmail.com with ESMTPSA id b28-20020a05620a119c00b007682757a65esm103417qkk.45.2023.08.03.11.43.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 11:43:41 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J/L][PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow Date: Thu, 3 Aug 2023 14:43:38 -0400 Message-Id: <20230803184338.24328-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230803184338.24328-1-yuxuan.luo@canonical.com> References: <20230803184338.24328-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lee Jones In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: Eric Dumazet Signed-off-by: Lee Jones Reviewed-by: Eric Dumazet Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller (cherry picked from commit 04c55383fa5689357bcdd2c8036725a55ed632bc) CVE-2023-3609 Signed-off-by: Yuxuan Luo --- net/sched/cls_u32.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 4e2e269f121f8..d15d50de79802 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -718,13 +718,19 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, struct nlattr *est, u32 flags, u32 fl_flags, struct netlink_ext_ack *extack) { - int err; + int err, ifindex = -1; err = tcf_exts_validate_ex(net, tp, tb, est, &n->exts, flags, fl_flags, extack); if (err < 0) return err; + if (tb[TCA_U32_INDEV]) { + ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); + if (ifindex < 0) + return -EINVAL; + } + if (tb[TCA_U32_LINK]) { u32 handle = nla_get_u32(tb[TCA_U32_LINK]); struct tc_u_hnode *ht_down = NULL, *ht_old; @@ -759,13 +765,9 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, tcf_bind_filter(tp, &n->res, base); } - if (tb[TCA_U32_INDEV]) { - int ret; - ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); - if (ret < 0) - return -EINVAL; - n->ifindex = ret; - } + if (ifindex >= 0) + n->ifindex = ifindex; + return 0; }