63 lines
2.0 KiB
Diff
63 lines
2.0 KiB
Diff
From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001
|
|
From: M A Ramdhan <ramdhan@starlabs.sg>
|
|
Date: Wed, 5 Jul 2023 12:15:30 -0400
|
|
Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to
|
|
use-after-free
|
|
|
|
In the event of a failure in tcf_change_indev(), fw_set_parms() will
|
|
immediately return an error after incrementing or decrementing
|
|
reference counter in tcf_bind_filter(). If attacker can control
|
|
reference counter to zero and make reference freed, leading to
|
|
use after free.
|
|
|
|
In order to prevent this, move the point of possible failure above the
|
|
point where the TC_FW_CLASSID is handled.
|
|
|
|
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
|
|
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
|
|
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
|
|
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
|
|
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
|
|
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f)
|
|
|
|
CVE: CVE-2023-3776
|
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
|
---
|
|
net/sched/cls_fw.c | 10 +++++-----
|
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
|
|
index 6a0d3ee00758..4240ca68cbc4 100644
|
|
--- a/net/sched/cls_fw.c
|
|
+++ b/net/sched/cls_fw.c
|
|
@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
|
|
if (err < 0)
|
|
return err;
|
|
|
|
- if (tb[TCA_FW_CLASSID]) {
|
|
- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
|
|
- tcf_bind_filter(tp, &f->res, base);
|
|
- }
|
|
-
|
|
if (tb[TCA_FW_INDEV]) {
|
|
int ret;
|
|
ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack);
|
|
@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
|
|
} else if (head->mask != 0xFFFFFFFF)
|
|
return err;
|
|
|
|
+ if (tb[TCA_FW_CLASSID]) {
|
|
+ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
|
|
+ tcf_bind_filter(tp, &f->res, base);
|
|
+ }
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
2.39.3
|
|
|