ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference

maillist inclusion category: bugfix bugzilla: 18774, https://gitee.com/src-openeuler/kernel/issues/I5UJIE CVE: CVE-2022-3435 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=61b91eb33a69c3be11b259c5ea484505cd79f883 -------------------------------- Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 Separate nexthop objects are mutually exclusive with the legacy multipath spec. Fix fib_nh_match to return if the config for the to be deleted route contains a multipath spec while the fib_info is using a nexthop object. Fixes: 493ced1a ("ipv4: Allow routes to use nexthop objects") Fixes: 6bf92d70 ("net: ipv4: fix route with nexthop object delete warning") Reported-by: N Gwangun Jung <exsociety@gmail.com> Signed-off-by: N David Ahern <dsahern@kernel.org> Reviewed-by: N Ido Schimmel <idosch@nvidia.com> Tested-by: N Ido Schimmel <idosch@nvidia.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Dong Chenchen <dongchenchen2@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference
maillist inclusion category: bugfix bugzilla: 18774, https://gitee.com/src-openeuler/kernel/issues/I5UJIE CVE: CVE-2022-3435 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=61b91eb33a69c3be11b259c5ea484505cd79f883 -------------------------------- Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 Separate nexthop objects are mutually exclusive with the legacy multipath spec. Fix fib_nh_match to return if the config for the to be deleted route contains a multipath spec while the fib_info is using a nexthop object. Fixes: 493ced1a ("ipv4: Allow routes to use nexthop objects") Fixes: 6bf92d70 ("net: ipv4: fix route with nexthop object delete warning") Reported-by: N Gwangun Jung <exsociety@gmail.com> Signed-off-by: N David Ahern <dsahern@kernel.org> Reviewed-by: N Ido Schimmel <idosch@nvidia.com> Tested-by: N Ido Schimmel <idosch@nvidia.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Dong Chenchen <dongchenchen2@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
c4596516 · David Ahern · Zheng Zengkai · 378c3ebb · c4596516
隐藏空白更改
内联并排

Showing with 4 addition and 4 deletion

net/ipv4/fib_semantics.c net/ipv4/fib_semantics.c +4 -4

未找到文件。
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -887,13 +887,13 @@ int fib_nh_match(struct net *net, struct fib_config *cfg, struct fib_info *fi,
 		return 1;
 	}

+	/* cannot match on nexthop object attributes */
+	if (fi->nh)
+		return 1;
+
 	if (cfg->fc_oif || cfg->fc_gw_family) {
 		struct fib_nh *nh;

-		/* cannot match on nexthop object attributes */
-		if (fi->nh)
-			return 1;
-
 		nh = fib_info_nh(fi, 0);
 		if (cfg->fc_encap) {
 			if (fib_encap_match(net, cfg->fc_encap_type,