From patchwork Wed Feb 1 13:22:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrei Gherzan X-Patchwork-Id: 1735521 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Mg3E67Tv; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4P6N0B0NTjz23jG for ; Thu, 2 Feb 2023 00:23:20 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pND4v-0000Rw-O2; Wed, 01 Feb 2023 13:23:09 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pND4t-0000Rh-A8 for kernel-team@lists.ubuntu.com; Wed, 01 Feb 2023 13:23:07 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 1492B4166C for ; Wed, 1 Feb 2023 13:23:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1675257787; bh=MBmbd8M5+7gR65KxwxfEOPgIyQG+15vbBYv/GE9XLj0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Mg3E67TvKCXLDKM7mNvBrWAnz9oMo/yTR4RbJDL+lKD/AGdi3uMPz16F2U5CfZT2W ROgXG0As90JpbS+EmG0wxL5q+iS+gqo3w4/kgtTr1RSIijF6T8liLFWaQXlWFlxXZD xUEVO8DujtTfcsZxY3x0NgN3dhUZxgLGj5VWgCyGpud/gp5EpU6TkPzduAFG4kBa4C 7ohRqeQDCCtgGSjU3UspfQPU0N6BVkEqblGdUFIJA6uvP0VGCipgjv4a1Cxlj+biU/ w/B7l7gZvVhkQhlLGbNisbsLoeaTptZIKpDFF9nCXHfmpk4IzfGZe9Qmq2vv0eOfha gx4CbUFx4G6Ew== Received: by mail-wm1-f72.google.com with SMTP id x10-20020a05600c21ca00b003dc5584b516so1067240wmj.7 for ; Wed, 01 Feb 2023 05:23:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MBmbd8M5+7gR65KxwxfEOPgIyQG+15vbBYv/GE9XLj0=; b=lZnBBelmYEpb0GNzHPWeV+rYfMU/kiq/hj0dchIFFb6vDzsyPwIOatxODPb/h5bFFf jjwzNSR4R2M5/Jz+pHJmWSN/uhJ552mJ7clUGA6PCUIym1bclg6C8kF210L4HiAHewzi rX7dpYtrdJG0v1rQkNzK1YrjcqcOn+ZXvTpl8eK4tLbQkuiUnhbGSNJli63pvGMbZcw7 L6ZUBPJfolfAZ23oTG0kpaoU8CrOg4EAZOrl+GFNLQEgG+zDDMxL9GHosVjk2+cXsbT3 gO9XjwkZCcdgzKzbzzvQFXZlmW3z/5FUpVdB37OQ0Z+0EELY52r/+IgMWlMK+VdN14GS o7fA== X-Gm-Message-State: AO0yUKU8Rg2xalNUwHPmqZ114NqTWaiqL4BPVlcZFy/7AoTixVwzu2FJ xVARzCch4MYU+DzSk9dR2hBZwBto5i78l2EJkMKcDh8iFZG8Z4ddJnubXvtJtqFBM0TzKC+Ei++ m2Hk4E5QVlq74x5/68kXN5o5QLs2kQ3weJlM1urnf9A== X-Received: by 2002:a05:6000:789:b0:2bf:b11d:91c with SMTP id bu9-20020a056000078900b002bfb11d091cmr2816113wrb.44.1675257785912; Wed, 01 Feb 2023 05:23:05 -0800 (PST) X-Google-Smtp-Source: AK7set+H7oAf3cUaBN+fzUg+eS/O+XaN/z37Rj2AyWYxSWzjNYGOx0nog6GjnP9b2S9SPS8JxdB5ow== X-Received: by 2002:a05:6000:789:b0:2bf:b11d:91c with SMTP id bu9-20020a056000078900b002bfb11d091cmr2816096wrb.44.1675257785771; Wed, 01 Feb 2023 05:23:05 -0800 (PST) Received: from localhost.localdomain ([2001:67c:1560:8007::aac:c4dd]) by smtp.gmail.com with ESMTPSA id l16-20020adffe90000000b002b8fe58d6desm16835978wrr.62.2023.02.01.05.23.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Feb 2023 05:23:05 -0800 (PST) From: Andrei Gherzan To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Date: Wed, 1 Feb 2023 13:22:58 +0000 Message-Id: <20230201132258.37913-2-andrei.gherzan@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230201132258.37913-1-andrei.gherzan@canonical.com> References: <20230201132258.37913-1-andrei.gherzan@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrei Gherzan Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Hangyu Hua xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of pols[0]. This refcount can be dropped in xfrm_expand_policies() when xfrm_expand_policies() return error. pols[0]'s refcount is balanced in here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with num_pols == 1 to drop this refcount when xfrm_expand_policies() return error. This patch also fix an illegal address access. pols[0] will save a error point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve an illegal address in xfrm_bundle_lookup's error path. Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path. Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing flows") Signed-off-by: Hangyu Hua Signed-off-by: Steffen Klassert CVE-2022-36879 (cherry picked from commit f85daf0e725358be78dfd208dea5fd665d8cb901) Signed-off-by: Andrei Gherzan --- net/xfrm/xfrm_policy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 19aa994f5d2c..96bad1e38f7d 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2676,8 +2676,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, *num_xfrms = 0; return 0; } - if (IS_ERR(pols[0])) + if (IS_ERR(pols[0])) { + *num_pols = 0; return PTR_ERR(pols[0]); + } *num_xfrms = pols[0]->xfrm_nr; @@ -2692,6 +2694,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, if (pols[1]) { if (IS_ERR(pols[1])) { xfrm_pols_put(pols, *num_pols); + *num_pols = 0; return PTR_ERR(pols[1]); } (*num_pols)++;