From patchwork Fri Aug 4 20:12:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1817161 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=cn2KBpQ7; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RHcMX5TnLz1ydj for ; Sat, 5 Aug 2023 06:12:40 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qS1A1-0007c9-VM; Fri, 04 Aug 2023 20:12:33 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qS19z-0007bR-KM for kernel-team@lists.ubuntu.com; Fri, 04 Aug 2023 20:12:31 +0000 Received: from mail-oa1-f71.google.com (mail-oa1-f71.google.com [209.85.160.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 568BF3F18E for ; Fri, 4 Aug 2023 20:12:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1691179951; bh=71exihYLi/MfsxhNMr4FshA083ks7EL/f+yp52QXnHg=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=cn2KBpQ75AIzhkyEwFy3CqbPeRBmkJM5Qru3UIgoac5JsApEb1qq/xBH/34SZVQWJ pcJ03BhDaTFhpqo70Ub82qd/DF85uNN73MIoqNisOuFfxEx7cyAoNWdd2ArB5oQdKC C+ifitYl/CdLd+TB94h9/SgUat6Nec65rXa9TZmG/OfK6CScnL/pG/GzZia+G+UN0P alh2Gnlo+25+4Itif9v8y9mnTGz+hK4XNgXlZYNOwLW4K4Ia2S7Tg8wco+qjL1uXgs EEuY5qVBzvQoj66HYeHaJvdT8PerSDkYiI9cMvgFg6d3QuXqcDNIUhsVEHIfoxXL+s 3gMzl9oih1Mww== Received: by mail-oa1-f71.google.com with SMTP id 586e51a60fabf-1bb72ad88f8so3646833fac.1 for ; Fri, 04 Aug 2023 13:12:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691179949; x=1691784749; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=71exihYLi/MfsxhNMr4FshA083ks7EL/f+yp52QXnHg=; b=R0QjxAo4H8hE76tFE4R3EVldLSH/WRNyF01nlXVicdIz2XQfIdgfRJc3XAiLdNCMyt aVBRZ03oId2++9uFE6RlDAqtPR67WGE3ng22WlEXbjbYfGELARRygZzT835wbbaxc2wz i9HXXboeBXhwI/2r+m+hMzPOnRkhiKhpzx1uDfzX7/gMmJFh98S0+AXjWyrkhoNmUySJ KEnU2fFm4/vIuzVg3xtysyo8nvc5QtYzQsbck/5h5D1zolYg85G6LaVG45S6Rq19KbOT B5m/Hc5M9jC9e/9KzM/mHs16IUFNYachZVsInvLsLH5xBnEV5fVlxIM5bEaZrHMb5M30 KuYA== X-Gm-Message-State: AOJu0Yx8cJDhJzyVrlSI5fcLitVL2c3inbRqB/49huiliF7jwguLj53e H2Fk4L8q4HCIuqzs9rj2U60qOrWhQlgC1LJJSLHY7ceSoBSFOPQe145UUUZAlc2s8/klkUWKxoF eZE/8PCl0I0hfgMatqdtI4zHMZVaJljy/PbU1WhIZfQ/oHpdMaw== X-Received: by 2002:a05:6870:ac28:b0:1bf:8a8:dfa with SMTP id kw40-20020a056870ac2800b001bf08a80dfamr3232432oab.11.1691179949253; Fri, 04 Aug 2023 13:12:29 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHYCuSByIG68o3/I3PhjioSMhwdKK1RB+R2COWb7fkbVm67k0VM/KeANtUdnyKU5CjhB+pd3g== X-Received: by 2002:a05:6870:ac28:b0:1bf:8a8:dfa with SMTP id kw40-20020a056870ac2800b001bf08a80dfamr3232408oab.11.1691179948890; Fri, 04 Aug 2023 13:12:28 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:a4fb:40c7:e7ca:9294]) by smtp.gmail.com with ESMTPSA id kb3-20020a05622a448300b00403b44bc230sm881789qtb.95.2023.08.04.13.12.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Aug 2023 13:12:28 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH v2 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow Date: Fri, 4 Aug 2023 16:12:23 -0400 Message-Id: <20230804201225.116222-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230804201225.116222-1-yuxuan.luo@canonical.com> References: <20230804201225.116222-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lee Jones In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: Eric Dumazet Signed-off-by: Lee Jones Reviewed-by: Eric Dumazet Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller (cherry picked from commit 04c55383fa5689357bcdd2c8036725a55ed632bc) CVE-2023-3609 Signed-off-by: Yuxuan Luo --- net/sched/cls_u32.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index ed8d26e6468ca..e5cc2b4d38d5a 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -716,12 +716,18 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, struct nlattr *est, bool ovr, struct netlink_ext_ack *extack) { - int err; + int err, ifindex = -1; err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr, true, extack); if (err < 0) return err; + if (tb[TCA_U32_INDEV]) { + ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); + if (ifindex < 0) + return -EINVAL; + } + if (tb[TCA_U32_LINK]) { u32 handle = nla_get_u32(tb[TCA_U32_LINK]); struct tc_u_hnode *ht_down = NULL, *ht_old; @@ -756,13 +762,9 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, tcf_bind_filter(tp, &n->res, base); } - if (tb[TCA_U32_INDEV]) { - int ret; - ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); - if (ret < 0) - return -EINVAL; - n->ifindex = ret; - } + if (ifindex >= 0) + n->ifindex = ifindex; + return 0; }