From patchwork Fri Nov 11 15:39:13 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1702853
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=Pq9yimAH;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4N82vC6XzGz23mY
	for <incoming@patchwork.ozlabs.org>; Sat, 12 Nov 2022 02:39:35 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1otW7t-0005em-IP; Fri, 11 Nov 2022 15:39:29 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1otW7n-0005YQ-E1
 for kernel-team@lists.ubuntu.com; Fri, 11 Nov 2022 15:39:23 +0000
Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com
 [209.85.222.200])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 0264242472
 for <kernel-team@lists.ubuntu.com>; Fri, 11 Nov 2022 15:39:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1668181163;
 bh=CnBmbQJrPhSRkmczsOczfbTCZJsuGNnbqXqiFMk9GVY=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=Pq9yimAHvQKLvnlC3stlUZWLureu/CDfzkwRYYGXLPN3k0mB6MSQGCW6+EmQfUHRQ
 Oke68FgjinULsHxmLUeG2bbtDn5hOAdqjD7UXxG6Kkdfxz0ESmNCOAzdjctovdsDJO
 XRSbTvLIJ/UP0V7pV0W1bE7P1jcUrm1880qR3sHRe2z6SubMM8+WPX8NUMgl7m3puT
 oFGc9rnj4AD8GlwuBovOyuKeOjTI9n+q0RY1O2FaEf+oMTY4bqz234oY7Lyf1PZ2S1
 ASimSl8qmJe9gRpMfa0kDMte2Yl1w+sbSNifeYhJPJ13Tbj3y3/+w+AuJLBJnEEzQg
 fZmDCX8xaV9kQ==
Received: by mail-qk1-f200.google.com with SMTP id
 i17-20020a05620a249100b006fa2e10a2ecso5006948qkn.16
 for <kernel-team@lists.ubuntu.com>; Fri, 11 Nov 2022 07:39:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=CnBmbQJrPhSRkmczsOczfbTCZJsuGNnbqXqiFMk9GVY=;
 b=xmMW0hMQ2IhKx0arQDjSCtGrxtNA1lOQa2gN/kB9NZD1B2zDla+hGfM8b/+fnGo5eb
 3Wm+fRDt4KPEiI1h4nIF+Nt5CbG6DoO1u88LzOjHZqzWZxRPqfCLe8Q3TpbTCCFTOq4e
 tiqtEcKUxIg0xGGrr9q9/O9jeNeQ4PmNTMxNskRsxBgUUrlPQhq9l2u/YHhGg3c0+3NT
 KFjMzwq8zHvYddaDkkwMzZ09+6/ppV83PKKB2QX7EuQuN43nPRbl0Cd5EjxNGzOAP6bJ
 22Ptx6w9CJ2Dt1ewp9FYo8KFvr3/nXNke2/AyRR1yNlIkn/8q9tFAwoUzzGlBhb+m/+f
 BAAg==
X-Gm-Message-State: ANoB5pmdl9X2Ef7+H1VXNhcq/UiuF75P7BI/pNZyukWOmhBRjY3aXmxf
 D04ElBtWjZ1jQKEzctgU9s0c2PwvAl21NZQYNlPrWXAvYLg509eESC3lNHty+3JYUL642t1QMb5
 zVAW3hjsFSy7VElSKDRdq68Zzm01S3/DPz5qCX++qrA==
X-Received: by 2002:a05:6214:16d2:b0:4b1:9605:d953 with SMTP id
 d18-20020a05621416d200b004b19605d953mr2409746qvz.11.1668181161551;
 Fri, 11 Nov 2022 07:39:21 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf7dkzyAJkF5EklgEu4Q7jbYoq93iPWGuRkwja4AmbvHEnwFcF9YQfVLgnwcAXyEc//0huJm8A==
X-Received: by 2002:a05:6214:16d2:b0:4b1:9605:d953 with SMTP id
 d18-20020a05621416d200b004b19605d953mr2409721qvz.11.1668181161246;
 Fri, 11 Nov 2022 07:39:21 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:d93d:835a:2708:5b4])
 by smtp.gmail.com with ESMTPSA id
 r1-20020a05620a298100b006ecf030ef15sm1582690qkp.65.2022.11.11.07.39.20
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 11 Nov 2022 07:39:20 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][K][PATCH] devlink: Fix use-after-free after a failed reload
Date: Fri, 11 Nov 2022 10:39:13 -0500
Message-Id: <20221111153913.13431-4-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221111153913.13431-1-yuxuan.luo@canonical.com>
References: <20221111153913.13431-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Ido Schimmel <idosch@nvidia.com>

After a failed devlink reload, devlink parameters are still registered,
which means user space can set and get their values. In the case of the
mlxsw "acl_region_rehash_interval" parameter, these operations will
trigger a use-after-free [1].

Fix this by rejecting set and get operations while in the failed state.
Return the "-EOPNOTSUPP" error code which does not abort the parameters
dump, but instead causes it to skip over the problematic parameter.

Another possible fix is to perform these checks in the mlxsw parameter
callbacks, but other drivers might be affected by the same problem and I
am not aware of scenarios where these stricter checks will cause a
regression.

[1]
mlxsw_spectrum3 0000:00:10.0: Port 125: Failed to register netdev
mlxsw_spectrum3 0000:00:10.0: Failed to create ports

==================================================================
BUG: KASAN: use-after-free in mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904
Read of size 4 at addr ffff8880099dcfd8 by task kworker/u4:4/777

CPU: 1 PID: 777 Comm: kworker/u4:4 Not tainted 5.19.0-rc7-custom-126601-gfe26f28c586d #1
Hardware name: QEMU MSN4700, BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x92/0xbd lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:313 [inline]
 print_report.cold+0x5e/0x5cf mm/kasan/report.c:429
 kasan_report+0xb9/0xf0 mm/kasan/report.c:491
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:306
 mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904
 mlxsw_sp_acl_region_rehash_intrvl_get+0x49/0x60 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c:1106
 mlxsw_sp_params_acl_region_rehash_intrvl_get+0x33/0x80 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3854
 devlink_param_get net/core/devlink.c:4981 [inline]
 devlink_nl_param_fill+0x238/0x12d0 net/core/devlink.c:5089
 devlink_param_notify+0xe5/0x230 net/core/devlink.c:5168
 devlink_ns_change_notify net/core/devlink.c:4417 [inline]
 devlink_ns_change_notify net/core/devlink.c:4396 [inline]
 devlink_reload+0x15f/0x700 net/core/devlink.c:4507
 devlink_pernet_pre_exit+0x112/0x1d0 net/core/devlink.c:12272
 ops_pre_exit_list net/core/net_namespace.c:152 [inline]
 cleanup_net+0x494/0xc00 net/core/net_namespace.c:582
 process_one_work+0x9fc/0x1710 kernel/workqueue.c:2289
 worker_thread+0x675/0x10b0 kernel/workqueue.c:2436
 kthread+0x30c/0x3d0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0000267700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99dc
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880099dce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880099dcf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880099dcf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                    ^
 ffff8880099dd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880099dd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Fixes: 98bbf70c1c41 ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 6b4db2e528f650c7fb712961aac36455468d5902)
CVE-2022-3625
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/core/devlink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/devlink.c b/net/core/devlink.c
index db76c55e1a6d..b4d7a7f749c1 100644
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -4413,7 +4413,7 @@ static int devlink_param_get(struct devlink *devlink,
 			     const struct devlink_param *param,
 			     struct devlink_param_gset_ctx *ctx)
 {
-	if (!param->get)
+	if (!param->get || devlink->reload_failed)
 		return -EOPNOTSUPP;
 	return param->get(devlink, param->id, ctx);
 }
@@ -4422,7 +4422,7 @@ static int devlink_param_set(struct devlink *devlink,
 			     const struct devlink_param *param,
 			     struct devlink_param_gset_ctx *ctx)
 {
-	if (!param->set)
+	if (!param->set || devlink->reload_failed)
 		return -EOPNOTSUPP;
 	return param->set(devlink, param->id, ctx);
 }