From patchwork Wed Mar 15 23:36:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1757647 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=ot9SvmR/; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PcRcy0H9bz1yWp for ; Thu, 16 Mar 2023 10:37:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pcafy-0007sr-Tm; Wed, 15 Mar 2023 23:36:58 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pcafx-0007s0-1u for kernel-team@lists.ubuntu.com; Wed, 15 Mar 2023 23:36:57 +0000 Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id EB5623F592 for ; Wed, 15 Mar 2023 23:36:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1678923415; bh=LRXWi6o0mNKnPsDC0RxrLMI630QigSwyz6VlyoHmDcA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ot9SvmR/EXUZVglGtA/4p77KW0h952lBUBm2VJxg9jtNX2sE/eghvglgXteGLRYqd LtXcgSCXu1VXinw4qgesJL4PRHsQraBXJWdWNh+RcEm8K9mnLXTnXxQ2TZzoZLRN5b z2D1pE3htM6EJew5MGuIMiEvQHk4WdObZZ/tOoGZB4WNmHAvTJ9lS8IAYFqw3FEpvM 189YdUNkvry3SavRmf8ErtuJAQYLcATVP+jtMugJ0D20OTwlpDD+JMyr78fN7hY1Ht YTyZvF+dKCDPanX5Ecx79za96J+pCk9kAExMjBr1PxiRXJQMvBpYeThBqGkq43384b WcQ9FDJCehx9Q== Received: by mail-wm1-f71.google.com with SMTP id l20-20020a05600c1d1400b003e10d3e1c23so1717696wms.1 for ; Wed, 15 Mar 2023 16:36:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678923415; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LRXWi6o0mNKnPsDC0RxrLMI630QigSwyz6VlyoHmDcA=; b=4MBkEYa1lGS02G7rAciR8/GDCLhat30v/8pwUZs5ZcOvSskje0kGrKXARdVGQUpK+Z MwELkaqBatfe+KXTGPEHxHeZD3WA/kW85NwvgbaHvb+vI+55KxtWRBoGqCFLEm3fZiSy bCKHu+qvjgBK2vR1JmDCij8Xmx4qQlHhiu0kuc2tOCwPffY87Q76O7+VqOLMrYvyDsUx FF1Sietc+ra/h74MP4SzZhGUfpyTd0mLImtOyaTBXXlbBgfClAcKQt4Beo7lIYyL+w8l hmK7Oju9yitb+Q041SuXWfnQs7lJSAyQYo5ZSqza9FWDziFovKKa7QufPXO2cJ4kGDGN UsLg== X-Gm-Message-State: AO0yUKUpaSmPA5WyBO/+Oj+F6YOczku/XfqLutpWVXTnJj+rcZEo5cfj ttv28ebe7kRg6/dWfuPvf6E2PsYHnsdMtp8CUzxdNn/cdTOYM+pCn/hCQIgqsnH3bTJCfcoVZxp ETwiUKCnQwvdtg6WcKA7PbYLi8kJ0kQtgbkokxdRoITY0tHVwgMoD1Og= X-Received: by 2002:a05:600c:350f:b0:3eb:3843:9f31 with SMTP id h15-20020a05600c350f00b003eb38439f31mr19110851wmq.10.1678923415380; Wed, 15 Mar 2023 16:36:55 -0700 (PDT) X-Google-Smtp-Source: AK7set9NPAc+k0qMZzU1bkGZqdoAue8m1OnSpwOJYdzIN7LzbZ6XTpq8AnUsXyLdvznaPdZ+SRvO0w== X-Received: by 2002:a05:600c:350f:b0:3eb:3843:9f31 with SMTP id h15-20020a05600c350f00b003eb38439f31mr19110838wmq.10.1678923415056; Wed, 15 Mar 2023 16:36:55 -0700 (PDT) Received: from localhost ([2001:67c:1560:8007::aac:c03c]) by smtp.gmail.com with ESMTPSA id k6-20020a05600c1c8600b003e209b45f6bsm3595538wms.29.2023.03.15.16.36.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Mar 2023 16:36:54 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic, Focal, Jammy, Kinetic 1/1] net: mpls: fix stale pointer if allocation fails during device rename Date: Thu, 16 Mar 2023 02:36:28 +0300 Message-Id: <20230315233626.935873-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230315233626.935873-1-cengiz.can@canonical.com> References: <20230315233626.935873-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jakub Kicinski lianhui reports that when MPLS fails to register the sysctl table under new location (during device rename) the old pointers won't get overwritten and may be freed again (double free). Handle this gracefully. The best option would be unregistering the MPLS from the device completely on failure, but unfortunately mpls_ifdown() can fail. So failing fully is also unreliable. Another option is to register the new table first then only remove old one if the new one succeeds. That requires more code, changes order of notifications and two tables may be visible at the same time. sysctl point is not used in the rest of the code - set to NULL on failures and skip unregister if already NULL. Reported-by: lianhui tang Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller CVE-2023-26545 (cherry picked from commit fda6c89fe3d9aca073495a664e1d5aea28cd4377) Signed-off-by: Cengiz Can --- net/mpls/af_mpls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index b52afe316dc4..f1f43894efb8 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev, free: kfree(table); out: + mdev->sysctl = NULL; return -ENOBUFS; } @@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(struct net_device *dev, struct net *net = dev_net(dev); struct ctl_table *table; + if (!mdev->sysctl) + return; + table = mdev->sysctl->ctl_table_arg; unregister_net_sysctl_table(mdev->sysctl); kfree(table);