From patchwork Fri Jul 28 06:57:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1814093 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=gV9IRK/K; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RBz431K8dz20Fy for ; Fri, 28 Jul 2023 16:58:10 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qPHQM-0004Tu-D5; Fri, 28 Jul 2023 06:58:06 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qPHQK-0004TQ-IB for kernel-team@lists.ubuntu.com; Fri, 28 Jul 2023 06:58:04 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 259E13F189 for ; Fri, 28 Jul 2023 06:58:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1690527484; bh=jDxFDtcIPUsro+W2aHKOeuUhI1LkbefHt1j8uYaNqgU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gV9IRK/Kw86883Di7mE3O3xtXDscogE24pxsE4GSqkMhuyYkLdorbOpZVQrDK0nTm TZ89L2SwC6ZcqgGWhmwXR4pQzfdJCdg7i6RlNGTpto36dhNlhTMIpuNm5YhKhVYLgF b7BuWq8MwuqZ85/ovA0LKC6pNO2XEg/4zBnuu5qfaJqxyN8rNeWfHnyDrbZ4j1W3mC EDYLVhrwcJMLFRd7+k886soZA/ATvSVTiXmCdX828xpquOIIF0BpaRtal32aZJlpFQ sm6CI7DTmZxg5ZTakNoe6wlVLlnAl7wNp2Y3JYzsKZ4kxacvs/wEm6V4x37UVPkH13 aBDAwTi/86pfA== Received: by mail-ed1-f70.google.com with SMTP id 4fb4d7f45d1cf-51da39aa6dcso1079302a12.2 for ; Thu, 27 Jul 2023 23:58:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690527483; x=1691132283; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jDxFDtcIPUsro+W2aHKOeuUhI1LkbefHt1j8uYaNqgU=; b=l+2B7OYntPr5PxAJwYM/0939aj25nbJ9h4R43Gzahf9dQrd0jGmGDMzUVAaNJJT9Y4 8RF/wjrOqsLi/8PpqamzZQ5Xf/pftx1FkM0IEJ5VbTmF6BLwe5ECP0xJTM+IKx36Zehj t3P1eqMlXpZmnduDMrtYGeH6SDki/rPF8o0BlK78YUYaVJJraJY8UuqdVAcD1rNGNoJs scT5/iMJhK/f73VvyrZEBfAtbFp4xB58CddSTF8yJcPNKpZlN2B4pDfpj+3s1zNrR5Pm mUwVXhMIhn7szquKev8kfRtOpv9wzquI5g7GUTHjW1xSihoRnUw0Pg533c3jUtIRJHog rB3Q== X-Gm-Message-State: ABy/qLZ+Q7o+4Csexhg559SU1ClSSs4lAsFPGgR6zcca2PXeHg4F+U6X PbSnQPtjTTYiA040nRJE7ZuwxRAld6n5orO/lB5Tqa3paHoSglbwkjw/hMrE3WDeUn3vwELT+Rw D6xQXfvmF3OWVAETuC/AseMH2Q2UBX2ljxYyl34tBislcK9n8IEx3 X-Received: by 2002:a17:906:cb:b0:993:d616:7ca9 with SMTP id 11-20020a17090600cb00b00993d6167ca9mr1242680eji.23.1690527483297; Thu, 27 Jul 2023 23:58:03 -0700 (PDT) X-Google-Smtp-Source: APBJJlHzMAQqz1ea1t0JWxbOwxnye+8Vg+5QKHhW4zf/cQAyPaf8dLUWFEx4iXWm2NL0IIRHkmwnew== X-Received: by 2002:a17:906:cb:b0:993:d616:7ca9 with SMTP id 11-20020a17090600cb00b00993d6167ca9mr1242660eji.23.1690527482885; Thu, 27 Jul 2023 23:58:02 -0700 (PDT) Received: from localhost ([92.44.147.101]) by smtp.gmail.com with ESMTPSA id kk9-20020a170907766900b00982cfe1fe5dsm1691607ejc.65.2023.07.27.23.58.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Jul 2023 23:58:02 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Focal/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar] net/sched: cls_fw: Fix improper refcount update leads to use-after-free Date: Fri, 28 Jul 2023 09:57:39 +0300 Message-Id: <20230728065738.1057030-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230728065738.1057030-1-cengiz.can@canonical.com> References: <20230728065738.1057030-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: M A Ramdhan In the event of a failure in tcf_change_indev(), fw_set_parms() will immediately return an error after incrementing or decrementing reference counter in tcf_bind_filter(). If attacker can control reference counter to zero and make reference freed, leading to use after free. In order to prevent this, move the point of possible failure above the point where the TC_FW_CLASSID is handled. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: M A Ramdhan Signed-off-by: M A Ramdhan Acked-by: Jamal Hadi Salim Reviewed-by: Pedro Tammela Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> Signed-off-by: Jakub Kicinski CVE-2023-3776 (cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f) Signed-off-by: Cengiz Can --- net/sched/cls_fw.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c index ae9439a6c56c..8641f8059317 100644 --- a/net/sched/cls_fw.c +++ b/net/sched/cls_fw.c @@ -212,11 +212,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, if (err < 0) return err; - if (tb[TCA_FW_CLASSID]) { - f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); - tcf_bind_filter(tp, &f->res, base); - } - if (tb[TCA_FW_INDEV]) { int ret; ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); @@ -233,6 +228,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, } else if (head->mask != 0xFFFFFFFF) return err; + if (tb[TCA_FW_CLASSID]) { + f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); + tcf_bind_filter(tp, &f->res, base); + } + return 0; }