From 889eaaeaa5aa88308347b90f53e1bd2301a50dec Mon Sep 17 00:00:00 2001 From: Ryan Sullivan Date: Mon, 25 Sep 2023 10:50:48 -0400 Subject: [KPATCH CVE-2023-3609] kpatch fixes for CVE-2023-3609 Kernels: 3.10.0-1160.88.1.el7 3.10.0-1160.90.1.el7 3.10.0-1160.92.1.el7 3.10.0-1160.95.1.el7 3.10.0-1160.99.1.el7 Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/59 Approved-by: Yannick Cote (@ycote1) Changes since last build: [x86_64]: cls_u32.o: changed function: u32_set_parms.isra.21 nf_tables_api.o: changed function: nf_tables_delsetelem nf_tables_api.o: changed function: nf_tables_newsetelem nf_tables_api.o: changed function: nf_tables_set_lookup nf_tables_api.o: changed function: nf_tables_set_lookup_byid nf_tables_api.o: changed function: nft_validate_register_store nft_byteorder.o: changed function: nft_byteorder_eval nft_dynset.o: changed function: nft_dynset_init nft_lookup.o: changed function: nft_lookup_init [ppc64le]: cls_u32.o: changed function: u32_set_parms.isra.21 nf_tables_api.o: changed function: nf_tables_bind_check_setelem nf_tables_api.o: changed function: nf_tables_delset nf_tables_api.o: changed function: nf_tables_delsetelem nf_tables_api.o: changed function: nf_tables_dump_set nf_tables_api.o: changed function: nf_tables_getset nf_tables_api.o: changed function: nf_tables_getsetelem nf_tables_api.o: changed function: nf_tables_newset nf_tables_api.o: changed function: nf_tables_newsetelem nf_tables_api.o: changed function: nf_tables_set_lookup nf_tables_api.o: changed function: nf_tables_set_lookup_byid nf_tables_api.o: changed function: nft_add_set_elem nf_tables_api.o: changed function: nft_validate_register_store nft_byteorder.o: changed function: nft_byteorder_eval nft_dynset.o: changed function: nft_dynset_init nft_lookup.o: changed function: nft_lookup_init --------------------------- Modifications: none commit 867fb59af8011c735d38c08d6e6ecef67265cb4e Author: Davide Caratti Date: Tue Aug 8 11:18:31 2023 +0200 net/sched: cls_u32: Fix reference counter leak leading to overflow Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225486 CVE: CVE-2023-3609 Upstream Status: net.git commit 04c55383fa56 Conflicts: - net/sched/cls_u32.c: we still have CONFIG_NET_CLS_IND in rhel7, because of missing upstream commit a51486266c3b ("net: sched: remove NET_CLS_IND config option"), so the patch has been manually reworked to preserve use of #ifdef CONFIG_NET_CLS_IND - we also don't have extacks because of missing backport of upstream commit 4b981dbc2272 ("net: sched: cls_u32: add extack support"), so the call to tcf_change_indev() has no 'extack' parameter commit 04c55383fa5689357bcdd2c8036725a55ed632bc Author: Lee Jones Date: Thu Jun 8 08:29:03 2023 +0100 net/sched: cls_u32: Fix reference counter leak leading to overflow In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: Eric Dumazet Signed-off-by: Lee Jones Reviewed-by: Eric Dumazet Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Davide Caratti Signed-off-by: Ryan Sullivan --- net/sched/cls_u32.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 269dcb08fed5..cc9398e10451 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -768,11 +768,22 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, struct nlattr *est, bool ovr) { int err; +#ifdef CONFIG_NET_CLS_IND + int ifindex = -1; +#endif err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr); if (err < 0) return err; +#ifdef CONFIG_NET_CLS_IND + if (tb[TCA_U32_INDEV]) { + ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV]); + if (ifindex < 0) + return -EINVAL; + } +#endif + if (tb[TCA_U32_LINK]) { u32 handle = nla_get_u32(tb[TCA_U32_LINK]); struct tc_u_hnode *ht_down = NULL, *ht_old; @@ -800,14 +811,10 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, } #ifdef CONFIG_NET_CLS_IND - if (tb[TCA_U32_INDEV]) { - int ret; - ret = tcf_change_indev(net, tb[TCA_U32_INDEV]); - if (ret < 0) - return -EINVAL; - n->ifindex = ret; - } + if (ifindex >= 0) + n->ifindex = ifindex; #endif + return 0; } -- 2.40.1