From patchwork Fri Aug  4 20:12:24 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1817163
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=CBYdPExt;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RHcMb2BGtz1ybS
	for <incoming@patchwork.ozlabs.org>; Sat,  5 Aug 2023 06:12:43 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qS1A4-0007dw-Np; Fri, 04 Aug 2023 20:12:36 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1qS1A0-0007bY-1h
 for kernel-team@lists.ubuntu.com; Fri, 04 Aug 2023 20:12:32 +0000
Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com
 [209.85.160.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id C3F3B3F18E
 for <kernel-team@lists.ubuntu.com>; Fri,  4 Aug 2023 20:12:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1691179951;
 bh=8mYOLkQj2LK7qG83D3p5dWIST6cBJTd/PXFgjMwy2sE=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=CBYdPExtrBZ+NvVdlq8PGksCG6wQMLASCIVy5OP6GdhvnLeoS2eNCryLmRnQVXIUp
 IwN3KA+rPtHCkHYN9q+xg2NL4iU59jLHCIvo238jyQZ7qRvRLhew2NKbj3HihIK2l0
 WyKogZzJ1z2ANxAiCCrqAeB3T3+GgsnE5RGP3+ePnqDV0ThHvhxaND6a+BR8MI1g6o
 1cQh7nOgjyX0Idmrn8Ew3lOaBLCCDbZ1drfDvxglha+8jDn0l8ZM4nAsyuLJYYaXeV
 hGjVpnE+eszQGOOJiQ4OyYUymbhBi20JmLkI6OI9RsIH4w2uXvOrBn2B/2Ztw5DzFd
 l7cJbYcU5HiVw==
Received: by mail-qt1-f199.google.com with SMTP id
 d75a77b69052e-408d32b89e8so26189301cf.1
 for <kernel-team@lists.ubuntu.com>; Fri, 04 Aug 2023 13:12:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1691179950; x=1691784750;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=8mYOLkQj2LK7qG83D3p5dWIST6cBJTd/PXFgjMwy2sE=;
 b=Vdn5LbTHN727XlpihRLxR1i/mJlnOI/nIMhHwQBQvPwt4P9m5dcGcIuTJMjWp8pTDu
 0UbUWzUMhJI8G+39STZ/gElzzndMIYz/m/nMEH71mjQ/Px9+ibanbyjE+xM72+PKhwgT
 13rwXGVRJAIYQWvi/umhOKQ62/8J/RCHdYLV7No3ZzSMSK83fAgbPf+CoH5zP0uqllSL
 vYa+fNPDwFK/lh5df0xyU1O+CYdWnoMC+d7QMe3d0GcaPfhTAuISleMJc3IWSwqEW5GN
 WGqOmxRvQ8X8N0ygu52/lzX7GdOa5kvZlEKp915E0yo7ur4Qm8wtasga0FhRmrJ+nU9t
 prlA==
X-Gm-Message-State: AOJu0YzMDcIQXKMAhErt1Kfoc0EoKjr+6WyLZ8oedK10MiHj/uRMnyVu
 M6b+Mj8D473zaP1ZsCbpsqKqyeXvnR6m5VALv3FYpLWKudXUz96+n0/JRwRoe5JEIa6CV3HhHOe
 jy7GpQzoY3aS9Rjva5R7M1pOTa0v1IMG/MH2n6FkQxixLHPq8uQ==
X-Received: by 2002:a05:622a:100d:b0:40f:e9fc:3914 with SMTP id
 d13-20020a05622a100d00b0040fe9fc3914mr3897076qte.14.1691179950015;
 Fri, 04 Aug 2023 13:12:30 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IH9F85nYqP5IEz0ueMZnj/3I63X6LTstCd2Zmnkefbc+8jvgvFWT7X19MIS1yEsEORsAk2Psg==
X-Received: by 2002:a05:622a:100d:b0:40f:e9fc:3914 with SMTP id
 d13-20020a05622a100d00b0040fe9fc3914mr3897062qte.14.1691179949738;
 Fri, 04 Aug 2023 13:12:29 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:a4fb:40c7:e7ca:9294])
 by smtp.gmail.com with ESMTPSA id
 kb3-20020a05622a448300b00403b44bc230sm881789qtb.95.2023.08.04.13.12.29
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 04 Aug 2023 13:12:29 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy][PATCH v2 1/1] net/sched: cls_u32: Fix reference counter
 leak leading to overflow
Date: Fri,  4 Aug 2023 16:12:24 -0400
Message-Id: <20230804201225.116222-3-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230804201225.116222-1-yuxuan.luo@canonical.com>
References: <20230804201225.116222-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Lee Jones <lee@kernel.org>

In the event of a failure in tcf_change_indev(), u32_set_parms() will
immediately return without decrementing the recently incremented
reference counter.  If this happens enough times, the counter will
rollover and the reference freed, leading to a double free which can be
used to do 'bad things'.

In order to prevent this, move the point of possible failure above the
point where the reference counter is incremented.  Also save any
meaningful return values to be applied to the return data at the
appropriate point in time.

This issue was caught with KASAN.

Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 04c55383fa5689357bcdd2c8036725a55ed632bc)
CVE-2023-3609
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/sched/cls_u32.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 5d30db0d7157..0025fa837e85 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -716,12 +716,18 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
 			 struct nlattr *est, u32 flags,
 			 struct netlink_ext_ack *extack)
 {
-	int err;
+	int err, ifindex = -1;
 
 	err = tcf_exts_validate(net, tp, tb, est, &n->exts, flags, extack);
 	if (err < 0)
 		return err;
 
+	if (tb[TCA_U32_INDEV]) {
+		ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
+		if (ifindex < 0)
+			return -EINVAL;
+	}
+
 	if (tb[TCA_U32_LINK]) {
 		u32 handle = nla_get_u32(tb[TCA_U32_LINK]);
 		struct tc_u_hnode *ht_down = NULL, *ht_old;
@@ -756,13 +762,9 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
 		tcf_bind_filter(tp, &n->res, base);
 	}
 
-	if (tb[TCA_U32_INDEV]) {
-		int ret;
-		ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
-		if (ret < 0)
-			return -EINVAL;
-		n->ifindex = ret;
-	}
+	if (ifindex >= 0)
+		n->ifindex = ifindex;
+
 	return 0;
 }