|
 |
74ad9e |
From: Artem Savkov <asavkov@redhat.com>
|
|
|
74ad9e |
Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable
|
|
|
74ad9e |
Date: Mon, 30 Aug 2021 17:33:51 +0200
|
|
|
74ad9e |
|
|
|
74ad9e |
Kernels:
|
|
|
74ad9e |
3.10.0-1160.el7
|
|
|
74ad9e |
3.10.0-1160.2.1.el7
|
|
|
74ad9e |
3.10.0-1160.2.2.el7
|
|
|
74ad9e |
3.10.0-1160.6.1.el7
|
|
|
74ad9e |
3.10.0-1160.11.1.el7
|
|
|
74ad9e |
3.10.0-1160.15.2.el7
|
|
|
74ad9e |
3.10.0-1160.21.1.el7
|
|
|
74ad9e |
3.10.0-1160.24.1.el7
|
|
|
74ad9e |
3.10.0-1160.25.1.el7
|
|
|
74ad9e |
3.10.0-1160.31.1.el7
|
|
|
74ad9e |
3.10.0-1160.36.2.el7
|
|
|
74ad9e |
3.10.0-1160.41.1.el7
|
|
|
74ad9e |
|
|
|
74ad9e |
Changes since last build:
|
|
|
74ad9e |
arches: x86_64 ppc64le
|
|
|
74ad9e |
cls_route.o: changed function: route4_change
|
|
|
74ad9e |
---------------------------
|
|
|
74ad9e |
|
|
|
74ad9e |
Kernels:
|
|
|
74ad9e |
3.10.0-1160.el7
|
|
|
74ad9e |
3.10.0-1160.2.1.el7
|
|
|
74ad9e |
3.10.0-1160.2.2.el7
|
|
|
74ad9e |
3.10.0-1160.6.1.el7
|
|
|
74ad9e |
3.10.0-1160.11.1.el7
|
|
|
74ad9e |
3.10.0-1160.15.2.el7
|
|
|
74ad9e |
3.10.0-1160.21.1.el7
|
|
|
74ad9e |
3.10.0-1160.24.1.el7
|
|
|
74ad9e |
3.10.0-1160.25.1.el7
|
|
|
74ad9e |
3.10.0-1160.31.1.el7
|
|
|
74ad9e |
3.10.0-1160.36.2.el7
|
|
|
74ad9e |
|
|
|
74ad9e |
Modifications: none
|
|
|
74ad9e |
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251
|
|
|
74ad9e |
|
|
|
74ad9e |
commit f4e1814eb56167451ddd819fccb951178f97660b
|
|
|
74ad9e |
Author: Ivan Vecera <ivecera@redhat.com>
|
|
|
74ad9e |
Date: Tue Aug 17 12:21:33 2021 +0200
|
|
|
74ad9e |
|
|
|
74ad9e |
net_sched: cls_route: remove the right filter from hashtable
|
|
|
74ad9e |
|
|
|
74ad9e |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926
|
|
|
74ad9e |
|
|
|
74ad9e |
commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359
|
|
|
74ad9e |
Author: Cong Wang <xiyou.wangcong@gmail.com>
|
|
|
74ad9e |
Date: Fri Mar 13 22:29:54 2020 -0700
|
|
|
74ad9e |
|
|
|
74ad9e |
net_sched: cls_route: remove the right filter from hashtable
|
|
|
74ad9e |
|
|
|
74ad9e |
route4_change() allocates a new filter and copies values from
|
|
|
74ad9e |
the old one. After the new filter is inserted into the hash
|
|
|
74ad9e |
table, the old filter should be removed and freed, as the final
|
|
|
74ad9e |
step of the update.
|
|
|
74ad9e |
|
|
|
74ad9e |
However, the current code mistakenly removes the new one. This
|
|
|
74ad9e |
looks apparently wrong to me, and it causes double "free" and
|
|
|
74ad9e |
use-after-free too, as reported by syzbot.
|
|
|
74ad9e |
|
|
|
74ad9e |
Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
|
|
|
74ad9e |
Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
|
|
|
74ad9e |
Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
|
|
|
74ad9e |
Fixes: 1109c00547fc ("net: sched: RCU cls_route")
|
|
|
74ad9e |
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
74ad9e |
Cc: Jiri Pirko <jiri@resnulli.us>
|
|
|
74ad9e |
Cc: John Fastabend <john.fastabend@gmail.com>
|
|
|
74ad9e |
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
|
|
|
74ad9e |
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
74ad9e |
|
|
|
74ad9e |
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
|
|
|
74ad9e |
|
|
|
74ad9e |
Signed-off-by: Artem Savkov <asavkov@redhat.com>
|
|
|
74ad9e |
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
74ad9e |
---
|
|
|
74ad9e |
net/sched/cls_route.c | 4 ++--
|
|
|
74ad9e |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
74ad9e |
|
|
|
74ad9e |
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
|
|
|
74ad9e |
index 7bd464e8d084..2fed29fa504e 100644
|
|
|
74ad9e |
--- a/net/sched/cls_route.c
|
|
|
74ad9e |
+++ b/net/sched/cls_route.c
|
|
|
74ad9e |
@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
|
|
|
74ad9e |
fp = &b->ht[h];
|
|
|
74ad9e |
for (pfp = rtnl_dereference(*fp); pfp;
|
|
|
74ad9e |
fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
|
|
|
74ad9e |
- if (pfp == f) {
|
|
|
74ad9e |
- *fp = f->next;
|
|
|
74ad9e |
+ if (pfp == fold) {
|
|
|
74ad9e |
+ rcu_assign_pointer(*fp, fold->next);
|
|
|
74ad9e |
break;
|
|
|
74ad9e |
}
|
|
|
74ad9e |
}
|
|
|
74ad9e |
--
|
|
|
74ad9e |
2.31.1
|
|
|
74ad9e |
|
|
|
74ad9e |
|