From patchwork Tue Sep 24 15:45:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Whitfield X-Patchwork-Id: 1988995 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XCkhg03c9z1xst for ; Wed, 25 Sep 2024 01:45:22 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1st7iy-0006eF-Ub; Tue, 24 Sep 2024 15:45:12 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1st7iv-0006dp-Q6 for kernel-team@lists.ubuntu.com; Tue, 24 Sep 2024 15:45:09 +0000 Received: from mail-oa1-f69.google.com (mail-oa1-f69.google.com [209.85.160.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 7A9A73F231 for ; Tue, 24 Sep 2024 15:45:09 +0000 (UTC) Received: by mail-oa1-f69.google.com with SMTP id 586e51a60fabf-27b732ecdaaso3768965fac.1 for ; Tue, 24 Sep 2024 08:45:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727192708; x=1727797508; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=a5qPFSeZA+l9OxO2pm+bDIloH9j0E0ZkDPX1ppKFw5o=; b=ePYeKx2jdJTWc+23yYxDaCct4rwW4XTqmZtuE16PlXa1+wfFQwxuNx1GAsfiu8xEHQ QgyOgTO2s3n8kTjMTYa0+Z5wB7GLtPLBmH2ElxzwnPnUM1e9InH9jr5P1wJrSpWU1YnN F+P8dglgZ3l7Si6OMmLBjZY1j9YlDO0LGCr0iBMi5aooAS5lWfbLVJbH0eOYQTLjqzDt LMluVsST7hRLNlqpX2LuaudXTrF1b8MjKJ8D7ywu5LOzeAZBCXMcDxsYNX132uIb4vIt WoeqMns67NQEvJ592kcSXhW2gFTzijpllP/k+x4hFr4jEGcDwCA+Nm7k2Hn8c8VD+1kg QZ5A== X-Gm-Message-State: AOJu0YwlCzX6r3RPrfQgzmqSBvmpkixBlKVq/PKMVl1bfu2MLSYZCGKz tTNz03+epXcTj9UCYoEqymlfNmozGvhHtxVHWW2xplCcqt6IA1fpEk3cy3DSh2YwXciWEuv/R06 XXXNRi3y7+bomLrS1pIy/PD7eqiUzaMkuiJAmgVnru7Y5OSqYOuOf44IwFSd0YUSqkrcNi4zrab aQ1vAxLfq6CA== X-Received: by 2002:a05:6870:8998:b0:278:32f:f171 with SMTP id 586e51a60fabf-2803a667d09mr9325731fac.26.1727192708262; Tue, 24 Sep 2024 08:45:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEhQiQsxaBDHJU5np3+xRoi72Lh+s4cZXkzsgA2XmaniwxCP7CwJwabGlwG4sOQndPhd9Ab8g== X-Received: by 2002:a05:6870:8998:b0:278:32f:f171 with SMTP id 586e51a60fabf-2803a667d09mr9325713fac.26.1727192707963; Tue, 24 Sep 2024 08:45:07 -0700 (PDT) Received: from localhost ([2600:1700:3ec0:2680:172f:739a:7010:5be6]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-283af944903sm592565fac.28.2024.09.24.08.45.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Sep 2024 08:45:07 -0700 (PDT) From: Ian Whitfield To: kernel-team@lists.ubuntu.com Subject: [SRU][N][PATCH 0/1] CVE-2024-45016 Date: Tue, 24 Sep 2024 08:45:06 -0700 Message-ID: <20240924154507.14124-1-ian.whitfield@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS. [Backport] The fix was cleanly applied. [Fix] Noble: backport Jammy: fixed via stable Focal: fixed via stable Bionic: fix sent to esm ML Xenial: not affected Trusty: not affected [Test Case] Compile and boot tested [Where problems could occur] This fix affects those who use netem, the Linux network emulator. An issue with this fix would be visible to user via a use-after-free under specific conditions, leading to a system crash or unexpected behavior. Stephen Hemminger (1): netem: fix return value if duplicate enqueue fails net/sched/sch_netem.c | 47 ++++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 18 deletions(-) Acked-by: Magali Lemes Acked-by: Jacob Martin