From patchwork Wed Aug 16 22:14:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1822057 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=ikyIrHlh; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RR2W10blVz1ygD for ; Thu, 17 Aug 2023 08:14:53 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qWOmu-0002GV-0Y; Wed, 16 Aug 2023 22:14:48 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qWOms-0002Ej-CC for kernel-team@lists.ubuntu.com; Wed, 16 Aug 2023 22:14:46 +0000 Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 3A60F3F314 for ; Wed, 16 Aug 2023 22:14:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1692224086; bh=zu6lyW62ytnW2KsHwiAULk24sGge1dZYsCpSfa/ocac=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ikyIrHlh4bvPbxc3ULOAt3le4sbuSaH0GQyS3DLLH7nNJCSFkxHyY6JXJAKvCVWk9 wzRs9tdQSoFxEFPLATjArUTl4VbFpgeQXQ7kSoyuP/CsEneEuI6oW/mLeUVTfSkIHn GeIamRhG98vrSHAboqI+zQfz2BIz7/uOIgx6Coe0B0wHdUpJqr2PohsBxAlJ07Kafw VWKjITrk0s08rFW+agtu5Jizv+13oNXGT8yfeWhrY+R4PH68XGVZrpWwrt9gI9sSVt KbfabfSRNWix222sRdPrTiluZToQ7znQVrY6JwRZhOlOHPFaCgX8ie0PuIOsqrr1Xq pl9ArEWZGpJmA== Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-63cd1ea05d7so3167556d6.0 for ; Wed, 16 Aug 2023 15:14:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692224085; x=1692828885; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zu6lyW62ytnW2KsHwiAULk24sGge1dZYsCpSfa/ocac=; b=gWdjvsyJXD3cbwSU1f91fRP2pIi+RJn7poOmX7IYG/zXzNFd5ZB/ms6q2z7YMpMFUE gVZjr/8auvTSMNSHSKFgJXKbaAIiDAhHIwIQaJdAlouz14Y1gPV6sgfRmd06hDDrBT60 g3EVcg7aW9oCg0dhLuxuYLVUnI6+7nDE44bleOwond91x74u0EHbmIkAfZvutLqIDDqo Dj3D0seZnMxM2IAg9TVtre0saHYyAV4R0UvLqUMGp2UiOlJR7anbEoQvuVQcEGEnzgI2 cl9vtAFJkyw4eYGm8+uOSNk40jFTCT6d0Gn+hCfXt4gUZ0d5TIKK1pQOeapkt4o1QCx4 4+Zg== X-Gm-Message-State: AOJu0YyUWOBrFxeZxcXezka2J/DtYPM/Hox7KRidnithybC4Pwl4m3nk njs0/ggRppSMFGFmL2JapBZITeMIL2PKJuCWKhVAqDI7kTkkmQgwzY2aIY5Z2j5rsaV/PK/kpRm H9qiSjit/gPMcM8JKPqN6jLejZl3GvRg1WSgo2Hka5LkZJpGBSw== X-Received: by 2002:ad4:5dc7:0:b0:63c:f325:bb03 with SMTP id m7-20020ad45dc7000000b0063cf325bb03mr1132403qvh.8.1692224084965; Wed, 16 Aug 2023 15:14:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFmq9zMX61QlchfQM6tS5aNxFlvOCluyLxiFQ0I52bfT6TdOp2BJl36kr1tcOAbjQvQPyTtMQ== X-Received: by 2002:ad4:5dc7:0:b0:63c:f325:bb03 with SMTP id m7-20020ad45dc7000000b0063cf325bb03mr1132392qvh.8.1692224084724; Wed, 16 Aug 2023 15:14:44 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:f97b:a3de:4e96:951c]) by smtp.gmail.com with ESMTPSA id r2-20020a0cb282000000b00637abbfaac9sm5240500qve.98.2023.08.16.15.14.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Aug 2023 15:14:44 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal/Jammy/Lunar][PATCH 3/3] net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free Date: Wed, 16 Aug 2023 18:14:31 -0400 Message-Id: <20230816221431.39612-4-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230816221431.39612-1-yuxuan.luo@canonical.com> References: <20230816221431.39612-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: valis When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. Fix this by no longer copying the tcf_result struct from the old filter. Fixes: 1109c00547fc ("net: sched: RCU cls_route") Reported-by: valis Reported-by: Bing-Jhong Billy Jheng Signed-off-by: valis Signed-off-by: Jamal Hadi Salim Reviewed-by: Victor Nogueira Reviewed-by: Pedro Tammela Reviewed-by: M A Ramdhan Link: https://lore.kernel.org/r/20230729123202.72406-4-jhs@mojatatu.com Signed-off-by: Jakub Kicinski (cherry picked from commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8) CVE-2023-4128 Signed-off-by: Yuxuan Luo --- net/sched/cls_route.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c index d0c53724d3e86..1e20bbd687f1d 100644 --- a/net/sched/cls_route.c +++ b/net/sched/cls_route.c @@ -513,7 +513,6 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, if (fold) { f->id = fold->id; f->iif = fold->iif; - f->res = fold->res; f->handle = fold->handle; f->tp = fold->tp;