net/sched: cls_u32: Fix reference counter leak leading to overflow

stable inclusion from stable-v5.10.185 commit af6eaa57986e82d7efd81984ee607927c6de61e4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7N3N2 CVE: CVE-2023-3609 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=af6eaa57986e82d7efd81984ee607927c6de61e4 --------------------------- [ Upstream commit 04c55383 ] In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091 ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N Lee Jones <lee@kernel.org> Reviewed-by: N Eric Dumazet <edumazet@google.com> Acked-by: N Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Lu Wei <luwei32@huawei.com> (cherry picked from commit dc7eeca1)

net/sched: cls_u32: Fix reference counter leak leading to overflow
stable inclusion from stable-v5.10.185 commit af6eaa57986e82d7efd81984ee607927c6de61e4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7N3N2 CVE: CVE-2023-3609 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=af6eaa57986e82d7efd81984ee607927c6de61e4 --------------------------- [ Upstream commit 04c55383 ] In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091 ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N Lee Jones <lee@kernel.org> Reviewed-by: N Eric Dumazet <edumazet@google.com> Acked-by: N Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Lu Wei <luwei32@huawei.com> (cherry picked from commit dc7eeca1)
78b46d0e · Lee Jones · openeuler-sync-bot · 1c5a571a · 78b46d0e
隐藏空白更改
内联并排

Showing with 10 addition and 8 deletion

net/sched/cls_u32.c net/sched/cls_u32.c +10 -8

未找到文件。
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -716,12 +716,18 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
 			 struct nlattr *est, bool ovr,
 			 struct netlink_ext_ack *extack)
 {
-	int err;
+	int err, ifindex = -1;

 	err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr, true, extack);
 	if (err < 0)
 		return err;

+	if (tb[TCA_U32_INDEV]) {
+		ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
+		if (ifindex < 0)
+			return -EINVAL;
+	}
+
 	if (tb[TCA_U32_LINK]) {
 		u32 handle = nla_get_u32(tb[TCA_U32_LINK]);
 		struct tc_u_hnode *ht_down = NULL, *ht_old;
@@ -756,13 +762,9 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
 		tcf_bind_filter(tp, &n->res, base);
 	}

-	if (tb[TCA_U32_INDEV]) {
-		int ret;
-		ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
-		if (ret < 0)
-			return -EINVAL;
-		n->ifindex = ret;
-	}
+	if (ifindex >= 0)
+		n->ifindex = ifindex;
+
 	return 0;
 }