From patchwork Thu Aug 3 19:00:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1816645 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=KbfxTbCl; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RGypz2wDDz1ybS for ; Fri, 4 Aug 2023 05:00:42 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qRdYq-0006mL-9v; Thu, 03 Aug 2023 19:00:36 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qRdYo-0006lx-PY for kernel-team@lists.ubuntu.com; Thu, 03 Aug 2023 19:00:34 +0000 Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 4574E3F205 for ; Thu, 3 Aug 2023 19:00:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1691089234; bh=HKVDgSWQPYOfT7W7BciN0WdJ65INuDM8EJB2iB4ufGY=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KbfxTbCl7zvUcXz8qnuW2eRCm75NIWqaVAXSFY5FHKwwunmk/g5Olt9gqhBk8CPw8 1F76l2CjrmE0NcIzIgdGmAcqAhg67YfNEFrogmEnkW22eU5Cs+whwQRkni63MQCbm+ OCcin6SaMGG+scek4pxwA2VCwkjRf6maBYVOpt3+xACsfN0E3FGfQZY9irQt3W9pGl gb/0ms93btpkkZevPnTrCXlTEQcuKY9CaGwbvG5w2Yo0RW7ld+SEa48f3Plc0PqRgK pyOikZIm64mBacyFo2c/oq58VrKP5pcgUB5ept8kGEcTOeb98I7no+qJPWYRBUKRwT JgTYjzIS6CU7w== Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-63cec409447so13409506d6.2 for ; Thu, 03 Aug 2023 12:00:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691089232; x=1691694032; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HKVDgSWQPYOfT7W7BciN0WdJ65INuDM8EJB2iB4ufGY=; b=j92qjsNiNtpdg+Ih2E17uRgSxKnCsi76Lyr4bTWls1chdmSEJoa0DXEITVZx35g9nW qt8TtQGtNEtGRZWHMOQn4ijn+IdqDX+LNoC7PC5XfmF90PGSetu96EhDnI/zYzDBjlz5 Hl9p1VCosXIOu1cXrap8sOfC5rL+PpMlyuc+0nqHZo3zOV0XFOSBtQTewjkpnXLZxK+y KFqlfHZGAET/0BSBQeISe4O6JY9oqa1Rvm1Fd++yPAtTIYn/jF1BOGqVtzb6GZQcUMTL hoP86uZe41TzIZPVQIHqIERo79rbjAlEkF9gBBQv61Z97vgp//ASNjOcX21knxZuq/vu 2D8Q== X-Gm-Message-State: ABy/qLb23oOElK3FLyaA1g1EtzLWA0Dl7iz6sfp2RMVrtw/7+NXQ+P1I hmzzNpmtQ0R5vueHEZJLrH0s3QyRh0aHfhTTie2LwVzFmgEYliaoFTGr3NRCFqrRiQnEHIMNpdL yMvoUHC+F97IllaNZuR5oSRyleL0EHuS92i9E/2y1fqHCoCkYfw== X-Received: by 2002:a05:6214:164e:b0:621:48be:baa8 with SMTP id f14-20020a056214164e00b0062148bebaa8mr14806373qvw.48.1691089232318; Thu, 03 Aug 2023 12:00:32 -0700 (PDT) X-Google-Smtp-Source: APBJJlG0sdZzsPD4nCBHOEj5fnLMJ3pKYtYJfq8tUrPOaPj5hBQMGK+xOARfn8CUlIeM9UIwvli6yw== X-Received: by 2002:a05:6214:164e:b0:621:48be:baa8 with SMTP id f14-20020a056214164e00b0062148bebaa8mr14806355qvw.48.1691089232061; Thu, 03 Aug 2023 12:00:32 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:4cbe:df6f:d612:fbf3]) by smtp.gmail.com with ESMTPSA id x16-20020a05620a14b000b00767d47eb29bsm108387qkj.119.2023.08.03.12.00.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 12:00:31 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy-OEM-5.17/OEM-6.0][PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow Date: Thu, 3 Aug 2023 15:00:29 -0400 Message-Id: <20230803190029.53725-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230803190029.53725-1-yuxuan.luo@canonical.com> References: <20230803190029.53725-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lee Jones In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: Eric Dumazet Signed-off-by: Lee Jones Reviewed-by: Eric Dumazet Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller (cherry picked from commit 04c55383fa5689357bcdd2c8036725a55ed632bc) CVE-2023-3609 Signed-off-by: Yuxuan Luo --- net/sched/cls_u32.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 4e2e269f121f8..d15d50de79802 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -718,13 +718,19 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, struct nlattr *est, u32 flags, u32 fl_flags, struct netlink_ext_ack *extack) { - int err; + int err, ifindex = -1; err = tcf_exts_validate_ex(net, tp, tb, est, &n->exts, flags, fl_flags, extack); if (err < 0) return err; + if (tb[TCA_U32_INDEV]) { + ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); + if (ifindex < 0) + return -EINVAL; + } + if (tb[TCA_U32_LINK]) { u32 handle = nla_get_u32(tb[TCA_U32_LINK]); struct tc_u_hnode *ht_down = NULL, *ht_old; @@ -759,13 +765,9 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, tcf_bind_filter(tp, &n->res, base); } - if (tb[TCA_U32_INDEV]) { - int ret; - ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); - if (ret < 0) - return -EINVAL; - n->ifindex = ret; - } + if (ifindex >= 0) + n->ifindex = ifindex; + return 0; }