From patchwork Wed Aug 16 22:14:29 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1822055
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=pvxrvP3G;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RR2Vz0Z1Xz1yfk
	for <incoming@patchwork.ozlabs.org>; Thu, 17 Aug 2023 08:14:51 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qWOmr-0002E4-Jk; Wed, 16 Aug 2023 22:14:45 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1qWOmq-0002Cs-38
 for kernel-team@lists.ubuntu.com; Wed, 16 Aug 2023 22:14:44 +0000
Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com
 [209.85.222.198])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id DF8423F314
 for <kernel-team@lists.ubuntu.com>; Wed, 16 Aug 2023 22:14:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1692224083;
 bh=qRjHcnYIJYMkPAnyx/LVsGtOwG0S6xx9j5iS0oIxzjY=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=pvxrvP3GMkPK5vGjTDBjpV3BqgtpXHxmddbL7/yuBUpSyDBl/Y8Uoemdei2JgKH6/
 zJASfbiHFBX57M73a1fqCg5MeyVXqTja9V3Ty6OIrC5aDDu73sAHZ5QvSJE+dUSc1N
 ddlgX2MmNgSo7/aPuX4tJfmRdBYJgsmy1i7WD/lIqrPY6GwzY4vXrdV//1oVF2Vw86
 zUmkhNpj0NgJTstdg6D8mhu2nacVW2uMA3yB6xLzPfyMMgbmPnvDV7iZ+4ECXAgIdT
 n5UahilG+BxP7G2NCGylxY2QUNM8BrlnxYAG+AV9+5WzURcT4EQAeU7ZSAd9YyVuVD
 jPDly8GCWwriA==
Received: by mail-qk1-f198.google.com with SMTP id
 af79cd13be357-76cea6c1fa0so30272785a.0
 for <kernel-team@lists.ubuntu.com>; Wed, 16 Aug 2023 15:14:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1692224082; x=1692828882;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=qRjHcnYIJYMkPAnyx/LVsGtOwG0S6xx9j5iS0oIxzjY=;
 b=Eulob5DIgqr+U3zQ6n0s7Jgitg3LjRSXHjvWOs9KAirKOdCB1IWmqkd/W3+TqzvXSG
 N2TGTM++kGx85O+sxbeX2Va2P3kj5AVrHoFxzwtJniJIkqlGVnjqvCqUiIfoOBHXwM4d
 9fjg6nUoLgiQuH1ooXl51djrC89O4zAPPb9NFFYzKXEc1NSlzGhNXDwaFL/E++ZuvG4L
 NWQu5NSoEX/U1YSdYF8EftzGmdjzgijICKbwm6OOlKJLTB/bVPN03vtzsOrtII0053NV
 +IGQylebrlY8qQOhRUYh78lqhbG6qR8n2cNY772n0xJ1f3Xfc7DhQmOvQfiVKzMwvmL0
 2Uxw==
X-Gm-Message-State: AOJu0YzMlYQkwvpbrG4Hpr6yTnYgaOm2ZHHNn+vNHN13bi9HrL6VZSWi
 G0Ej71K9A7F1aT5zygMZjWyV3hWjLKQalQ6FZa9LOGpCbNYEWgoGgFj9AOtcTxWsWTrQ8zh8wuX
 c7/FylXIYbGAhJLZwQ4/WbFYVidI5thxBLDdeahVKVhDEaJGssw==
X-Received: by 2002:a05:620a:4550:b0:767:156e:dda6 with SMTP id
 u16-20020a05620a455000b00767156edda6mr1443109qkp.32.1692224082625;
 Wed, 16 Aug 2023 15:14:42 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGDHQPOhKEyYetj6x7UwFeQ1fl2pDE+6lBvKU+wNSgEx3BLsYmTx0afW6iRtNczRueOg/A5oA==
X-Received: by 2002:a05:620a:4550:b0:767:156e:dda6 with SMTP id
 u16-20020a05620a455000b00767156edda6mr1443093qkp.32.1692224082385;
 Wed, 16 Aug 2023 15:14:42 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:f97b:a3de:4e96:951c])
 by smtp.gmail.com with ESMTPSA id
 r2-20020a0cb282000000b00637abbfaac9sm5240500qve.98.2023.08.16.15.14.41
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 16 Aug 2023 15:14:42 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Focal/Jammy/Lunar][PATCH 1/3] net/sched: cls_u32: No longer
 copy tcf_result on update to avoid use-after-free
Date: Wed, 16 Aug 2023 18:14:29 -0400
Message-Id: <20230816221431.39612-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230816221431.39612-1-yuxuan.luo@canonical.com>
References: <20230816221431.39612-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: valis <sec@valis.email>

When u32_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: de5df63228fc ("net: sched: cls_u32 changes to knode must appear atomic to readers")
Reported-by: valis <sec@valis.email>
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: valis <sec@valis.email>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81)
CVE-2023-4128
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/sched/cls_u32.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index d15d50de79802..d830ff3da9b8d 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -815,7 +815,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
 
 	new->ifindex = n->ifindex;
 	new->fshift = n->fshift;
-	new->res = n->res;
 	new->flags = n->flags;
 	RCU_INIT_POINTER(new->ht_down, ht);
 

From patchwork Wed Aug 16 22:14:30 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1822056
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=lmC9hPxb;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RR2W03KWdz1yfk
	for <incoming@patchwork.ozlabs.org>; Thu, 17 Aug 2023 08:14:52 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qWOmt-0002G5-Qf; Wed, 16 Aug 2023 22:14:47 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1qWOmr-0002Dh-BY
 for kernel-team@lists.ubuntu.com; Wed, 16 Aug 2023 22:14:45 +0000
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 2581D3F314
 for <kernel-team@lists.ubuntu.com>; Wed, 16 Aug 2023 22:14:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1692224085;
 bh=0xWoz4HBydy1yla66y/Pi6BJ1srqyHAKBqCMB1D+pfc=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=lmC9hPxb5TipDTrP9ljv88oNyf2s7cbB0P8bCJlxxx6WA9hy/ikgWna2f5fcODZlu
 gpWkgek79e40rFh3ukAt7DAV1TcZBm2YOvyYdGo5HYrbQZkmsAecdrhHxiw7BRlqNH
 MjGFwtS/I+8Kpw0CXmJS9vb8drlV2plhigJ7G70AFL1L4PzihPuexQVdgvlyo1bdVR
 WHmE2qlLsT5Nmp1tZ7muuiSmOSauMUOZdZEYCK9s2qV8nvlXlBLn0dQp6bU+u1JUyj
 0SVkT3hhg1Jc0F+cjsYc1AEVY9PbLTY76/Ef6SbuYMPwoJzsu21aTEYXCEV498Go9o
 W+9nfxs+L17UQ==
Received: by mail-qv1-f72.google.com with SMTP id
 6a1803df08f44-63ccbef84eeso69643446d6.3
 for <kernel-team@lists.ubuntu.com>; Wed, 16 Aug 2023 15:14:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1692224084; x=1692828884;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=0xWoz4HBydy1yla66y/Pi6BJ1srqyHAKBqCMB1D+pfc=;
 b=K3+AxgjXJlWbzvJ36rZohjXEVyNdaJDVSwFSCdPqK8LFQu8RWebzx/OvLo2ToQaBp+
 NgWYPr2PpGiHLogd63Ub4MTq2yqcNo6dyUV67vUW1yfNQ0/VQHR7YXKNY6+S23pClNrx
 hM+HhgAtFR+KY3n1hB4jiNBJfv1hfsyztkkI3RQUKyasV9P1yUR/C2v5ebtyFzqadzeo
 NYVhngKdDqOo05i+plfkSbQEKXYUDzoxtE24SCo6rYw0QQOo5Cs9hawjW2qHSt/hYURo
 OVOtdBJv/dd3wBEwPds4JJCKDUwiKurhfwu3TLK82x3Tc9axbbGLMC85hBckmA6NPhGx
 cA5w==
X-Gm-Message-State: AOJu0YyXrgTvxSA6m8WTnRxWooYchiQ8jwKnZIP7RJWK8Y7fLeaBN6IV
 jNP0uv2RazOn36RaTgHXmXqX0WGGIF4bggUkCqQugE2k6cnJxHSqRzC5hhVZGpcjwnR07+PdO3a
 NNoaOpz0o5TvH21fKSpYqNhRcqKLFs8OdZbVxDCy3Qsy0gAegAw==
X-Received: by 2002:a0c:e1c9:0:b0:641:8d17:96fd with SMTP id
 v9-20020a0ce1c9000000b006418d1796fdmr2815398qvl.41.1692224083824;
 Wed, 16 Aug 2023 15:14:43 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IF6cOlKXGAXzW6AxRDwO8wFESxQWvWkcxSm10grJnKPfuETxhQNRSQc8eA3JMcK2GX52NUsXA==
X-Received: by 2002:a0c:e1c9:0:b0:641:8d17:96fd with SMTP id
 v9-20020a0ce1c9000000b006418d1796fdmr2815384qvl.41.1692224083470;
 Wed, 16 Aug 2023 15:14:43 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:f97b:a3de:4e96:951c])
 by smtp.gmail.com with ESMTPSA id
 r2-20020a0cb282000000b00637abbfaac9sm5240500qve.98.2023.08.16.15.14.42
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 16 Aug 2023 15:14:42 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Focal/Jammy/Lunar][PATCH 2/3] net/sched: cls_fw: No longer copy
 tcf_result on update to avoid use-after-free
Date: Wed, 16 Aug 2023 18:14:30 -0400
Message-Id: <20230816221431.39612-3-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230816221431.39612-1-yuxuan.luo@canonical.com>
References: <20230816221431.39612-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: valis <sec@valis.email>

When fw_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: e35a8ee5993b ("net: sched: fw use RCU")
Reported-by: valis <sec@valis.email>
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: valis <sec@valis.email>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 76e42ae831991c828cffa8c37736ebfb831ad5ec)
CVE-2023-4128
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/sched/cls_fw.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 8641f80593179..c49d6af0e0480 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -267,7 +267,6 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
 			return -ENOBUFS;
 
 		fnew->id = f->id;
-		fnew->res = f->res;
 		fnew->ifindex = f->ifindex;
 		fnew->tp = f->tp;
 

From patchwork Wed Aug 16 22:14:31 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1822057
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=ikyIrHlh;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RR2W10blVz1ygD
	for <incoming@patchwork.ozlabs.org>; Thu, 17 Aug 2023 08:14:53 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qWOmu-0002GV-0Y; Wed, 16 Aug 2023 22:14:48 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1qWOms-0002Ej-CC
 for kernel-team@lists.ubuntu.com; Wed, 16 Aug 2023 22:14:46 +0000
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 3A60F3F314
 for <kernel-team@lists.ubuntu.com>; Wed, 16 Aug 2023 22:14:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1692224086;
 bh=zu6lyW62ytnW2KsHwiAULk24sGge1dZYsCpSfa/ocac=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=ikyIrHlh4bvPbxc3ULOAt3le4sbuSaH0GQyS3DLLH7nNJCSFkxHyY6JXJAKvCVWk9
 wzRs9tdQSoFxEFPLATjArUTl4VbFpgeQXQ7kSoyuP/CsEneEuI6oW/mLeUVTfSkIHn
 GeIamRhG98vrSHAboqI+zQfz2BIz7/uOIgx6Coe0B0wHdUpJqr2PohsBxAlJ07Kafw
 VWKjITrk0s08rFW+agtu5Jizv+13oNXGT8yfeWhrY+R4PH68XGVZrpWwrt9gI9sSVt
 KbfabfSRNWix222sRdPrTiluZToQ7znQVrY6JwRZhOlOHPFaCgX8ie0PuIOsqrr1Xq
 pl9ArEWZGpJmA==
Received: by mail-qv1-f72.google.com with SMTP id
 6a1803df08f44-63cd1ea05d7so3167556d6.0
 for <kernel-team@lists.ubuntu.com>; Wed, 16 Aug 2023 15:14:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1692224085; x=1692828885;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=zu6lyW62ytnW2KsHwiAULk24sGge1dZYsCpSfa/ocac=;
 b=gWdjvsyJXD3cbwSU1f91fRP2pIi+RJn7poOmX7IYG/zXzNFd5ZB/ms6q2z7YMpMFUE
 gVZjr/8auvTSMNSHSKFgJXKbaAIiDAhHIwIQaJdAlouz14Y1gPV6sgfRmd06hDDrBT60
 g3EVcg7aW9oCg0dhLuxuYLVUnI6+7nDE44bleOwond91x74u0EHbmIkAfZvutLqIDDqo
 Dj3D0seZnMxM2IAg9TVtre0saHYyAV4R0UvLqUMGp2UiOlJR7anbEoQvuVQcEGEnzgI2
 cl9vtAFJkyw4eYGm8+uOSNk40jFTCT6d0Gn+hCfXt4gUZ0d5TIKK1pQOeapkt4o1QCx4
 4+Zg==
X-Gm-Message-State: AOJu0YyUWOBrFxeZxcXezka2J/DtYPM/Hox7KRidnithybC4Pwl4m3nk
 njs0/ggRppSMFGFmL2JapBZITeMIL2PKJuCWKhVAqDI7kTkkmQgwzY2aIY5Z2j5rsaV/PK/kpRm
 H9qiSjit/gPMcM8JKPqN6jLejZl3GvRg1WSgo2Hka5LkZJpGBSw==
X-Received: by 2002:ad4:5dc7:0:b0:63c:f325:bb03 with SMTP id
 m7-20020ad45dc7000000b0063cf325bb03mr1132403qvh.8.1692224084965;
 Wed, 16 Aug 2023 15:14:44 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFmq9zMX61QlchfQM6tS5aNxFlvOCluyLxiFQ0I52bfT6TdOp2BJl36kr1tcOAbjQvQPyTtMQ==
X-Received: by 2002:ad4:5dc7:0:b0:63c:f325:bb03 with SMTP id
 m7-20020ad45dc7000000b0063cf325bb03mr1132392qvh.8.1692224084724;
 Wed, 16 Aug 2023 15:14:44 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:f97b:a3de:4e96:951c])
 by smtp.gmail.com with ESMTPSA id
 r2-20020a0cb282000000b00637abbfaac9sm5240500qve.98.2023.08.16.15.14.43
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 16 Aug 2023 15:14:44 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Focal/Jammy/Lunar][PATCH 3/3] net/sched: cls_route: No longer
 copy tcf_result on update to avoid use-after-free
Date: Wed, 16 Aug 2023 18:14:31 -0400
Message-Id: <20230816221431.39612-4-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230816221431.39612-1-yuxuan.luo@canonical.com>
References: <20230816221431.39612-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: valis <sec@valis.email>

When route4_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: 1109c00547fc ("net: sched: RCU cls_route")
Reported-by: valis <sec@valis.email>
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: valis <sec@valis.email>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-4-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8)
CVE-2023-4128
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/sched/cls_route.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index d0c53724d3e86..1e20bbd687f1d 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -513,7 +513,6 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
 	if (fold) {
 		f->id = fold->id;
 		f->iif = fold->iif;
-		f->res = fold->res;
 		f->handle = fold->handle;
 
 		f->tp = fold->tp;