From patchwork Tue Apr 11 22:55:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1767871
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=YlQOE1cV;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Px1QZ2BYYz1yZk
	for <incoming@patchwork.ozlabs.org>; Wed, 12 Apr 2023 08:55:33 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1pmMtW-0000fD-EJ; Tue, 11 Apr 2023 22:55:22 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cengiz.can@canonical.com>) id 1pmMtU-0000ew-6W
 for kernel-team@lists.ubuntu.com; Tue, 11 Apr 2023 22:55:20 +0000
Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com
 [209.85.208.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id B5C963F118
 for <kernel-team@lists.ubuntu.com>; Tue, 11 Apr 2023 22:55:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1681253719;
 bh=z4kfkHYB5sWzv2g9BN9uSHTBT1uPwCN5vz7eP4RuT+U=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=YlQOE1cVr4+Yo2RYlHqQdAz6tisNcfrQAPTtWo4t/pVlun/xXRbKnAVy3XoxMjke2
 GzYiEbKpZarpTggQA9Ro25nUiX5KjnL3jiH4B9qWhr1FrMb5RQBZz/VG/A+c8VwZvL
 ZxBFzDh4cvGoupvIvgdmE1YJNL73n3PKJsduY6W5qPUL4ltVLfMopxXi7EG5ueSZZS
 BRgMC/X7sx5vnTCy12jdop8IGzEnm0AOWXE6q5ps53Ne4cszKFmIgO+b6gmg9FZX66
 nrZCNCZETPm89PBqoGwYsgY13he7KisIfG2ghizpkYirya+55fvBy4uy8a0VxtcCN8
 Sky/rK2v63n/g==
Received: by mail-ed1-f72.google.com with SMTP id
 4fb4d7f45d1cf-5048993067dso7485301a12.0
 for <kernel-team@lists.ubuntu.com>; Tue, 11 Apr 2023 15:55:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1681253718;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=z4kfkHYB5sWzv2g9BN9uSHTBT1uPwCN5vz7eP4RuT+U=;
 b=LXpQNgl0HrFFYp1dpuTFEqul6+k2Fkw2mLTULeoG0wVWOlZlOlhRYZAZzXHeXDUIGa
 0LCov9HDfERo5W9eMg6l8EnmDHsTHF8zA6jadUqvz3a5tpMcveCP1IIUPG6icXoGp7MA
 o1DVbm7bg7sgcpoTzBINqpxrscvANqsoUIvhyrW9bxGxpUJY/r93WbJm+Zr9+AgbCllI
 TVwhZynpi6T0aR9Y5tjhqCCBJEc3rVmM+UG+R6nDJ/+j/pm3EkqIgbzNzXQoh6biT/p/
 YV487S0ZDBURI+PprEzkd7o3z+lyj8DJ4cKvVXFnwL8tqoOqsiHt0V+wYEO/7BPqG3ad
 laXw==
X-Gm-Message-State: AAQBX9fpzYPas7CY++Va0+pwqy8ZRLsB/M3zQcm3szYzoj70nwMv05Dq
 J55RjTfuiSJV64LBq905I7PJik7cSWvJr9CgpFO5gRLyzu3puHYPQ5s+PoIJUEeh6gsGDLrQJcZ
 Iap7Nkw4D08q2fBpg2NEsU8Sd0n78qBGMPR/2eyuYtb9wtK5BV9rdpxI=
X-Received: by 2002:aa7:d5d5:0:b0:504:88fb:8841 with SMTP id
 d21-20020aa7d5d5000000b0050488fb8841mr588138eds.21.1681253718294;
 Tue, 11 Apr 2023 15:55:18 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350a+10vw9D0i8kU/Vz7A5pcIPCfkvNBsfx5bTSTmpwaliq4QvQZg8wXkAYhi/dVn0ByjPkUftQ==
X-Received: by 2002:aa7:d5d5:0:b0:504:88fb:8841 with SMTP id
 d21-20020aa7d5d5000000b0050488fb8841mr588128eds.21.1681253718089;
 Tue, 11 Apr 2023 15:55:18 -0700 (PDT)
Received: from localhost ([176.234.92.228]) by smtp.gmail.com with ESMTPSA id
 o2-20020a50c282000000b004fd1ee3f723sm6239606edf.67.2023.04.11.15.55.17
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Apr 2023 15:55:17 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-5.17,
 OEM-6.0 1/1] net: mpls: fix stale pointer if allocation fails during
 device rename
Date: Wed, 12 Apr 2023 01:55:12 +0300
Message-Id: <20230411225512.211644-2-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20230411225512.211644-1-cengiz.can@canonical.com>
References: <20230411225512.211644-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Jakub Kicinski <kuba@kernel.org>

lianhui reports that when MPLS fails to register the sysctl table
under new location (during device rename) the old pointers won't
get overwritten and may be freed again (double free).

Handle this gracefully. The best option would be unregistering
the MPLS from the device completely on failure, but unfortunately
mpls_ifdown() can fail. So failing fully is also unreliable.

Another option is to register the new table first then only
remove old one if the new one succeeds. That requires more
code, changes order of notifications and two tables may be
visible at the same time.

sysctl point is not used in the rest of the code - set to NULL
on failures and skip unregister if already NULL.

Reported-by: lianhui tang <bluetlh@gmail.com>
Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2023-26545
(cherry picked from commit fda6c89fe3d9aca073495a664e1d5aea28cd4377)
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
---
 net/mpls/af_mpls.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index d6fdc5782d33..cfb8b3594df6 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev,
 free:
 	kfree(table);
 out:
+	mdev->sysctl = NULL;
 	return -ENOBUFS;
 }
 
@@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(struct net_device *dev,
 	struct net *net = dev_net(dev);
 	struct ctl_table *table;
 
+	if (!mdev->sysctl)
+		return;
+
 	table = mdev->sysctl->ctl_table_arg;
 	unregister_net_sysctl_table(mdev->sysctl);
 	kfree(table);