Blame SOURCES/CVE-2021-3715.patch

bc9897
From: Artem Savkov <asavkov@redhat.com>
bc9897
Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable
bc9897
Date: Mon, 30 Aug 2021 17:33:51 +0200
bc9897
bc9897
Kernels:
bc9897
3.10.0-1160.el7
bc9897
3.10.0-1160.2.1.el7
bc9897
3.10.0-1160.2.2.el7
bc9897
3.10.0-1160.6.1.el7
bc9897
3.10.0-1160.11.1.el7
bc9897
3.10.0-1160.15.2.el7
bc9897
3.10.0-1160.21.1.el7
bc9897
3.10.0-1160.24.1.el7
bc9897
3.10.0-1160.25.1.el7
bc9897
3.10.0-1160.31.1.el7
bc9897
3.10.0-1160.36.2.el7
bc9897
3.10.0-1160.41.1.el7
bc9897
bc9897
Changes since last build:
bc9897
arches: x86_64 ppc64le
bc9897
cls_route.o: changed function: route4_change
bc9897
---------------------------
bc9897
bc9897
Kernels:
bc9897
3.10.0-1160.el7
bc9897
3.10.0-1160.2.1.el7
bc9897
3.10.0-1160.2.2.el7
bc9897
3.10.0-1160.6.1.el7
bc9897
3.10.0-1160.11.1.el7
bc9897
3.10.0-1160.15.2.el7
bc9897
3.10.0-1160.21.1.el7
bc9897
3.10.0-1160.24.1.el7
bc9897
3.10.0-1160.25.1.el7
bc9897
3.10.0-1160.31.1.el7
bc9897
3.10.0-1160.36.2.el7
bc9897
bc9897
Modifications: none
bc9897
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251
bc9897
bc9897
commit f4e1814eb56167451ddd819fccb951178f97660b
bc9897
Author: Ivan Vecera <ivecera@redhat.com>
bc9897
Date:   Tue Aug 17 12:21:33 2021 +0200
bc9897
bc9897
    net_sched: cls_route: remove the right filter from hashtable
bc9897
bc9897
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926
bc9897
bc9897
    commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359
bc9897
    Author: Cong Wang <xiyou.wangcong@gmail.com>
bc9897
    Date:   Fri Mar 13 22:29:54 2020 -0700
bc9897
bc9897
        net_sched: cls_route: remove the right filter from hashtable
bc9897
bc9897
        route4_change() allocates a new filter and copies values from
bc9897
        the old one. After the new filter is inserted into the hash
bc9897
        table, the old filter should be removed and freed, as the final
bc9897
        step of the update.
bc9897
bc9897
        However, the current code mistakenly removes the new one. This
bc9897
        looks apparently wrong to me, and it causes double "free" and
bc9897
        use-after-free too, as reported by syzbot.
bc9897
bc9897
        Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
bc9897
        Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
bc9897
        Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
bc9897
        Fixes: 1109c00547fc ("net: sched: RCU cls_route")
bc9897
        Cc: Jamal Hadi Salim <jhs@mojatatu.com>
bc9897
        Cc: Jiri Pirko <jiri@resnulli.us>
bc9897
        Cc: John Fastabend <john.fastabend@gmail.com>
bc9897
        Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
bc9897
        Signed-off-by: David S. Miller <davem@davemloft.net>
bc9897
bc9897
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
bc9897
bc9897
Signed-off-by: Artem Savkov <asavkov@redhat.com>
bc9897
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
bc9897
---
bc9897
 net/sched/cls_route.c | 4 ++--
bc9897
 1 file changed, 2 insertions(+), 2 deletions(-)
bc9897
bc9897
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
bc9897
index 7bd464e8d084..2fed29fa504e 100644
bc9897
--- a/net/sched/cls_route.c
bc9897
+++ b/net/sched/cls_route.c
bc9897
@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
bc9897
 			fp = &b->ht[h];
bc9897
 			for (pfp = rtnl_dereference(*fp); pfp;
bc9897
 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
bc9897
-				if (pfp == f) {
bc9897
-					*fp = f->next;
bc9897
+				if (pfp == fold) {
bc9897
+					rcu_assign_pointer(*fp, fold->next);
bc9897
 					break;
bc9897
 				}
bc9897
 			}
bc9897
-- 
bc9897
2.31.1
bc9897
bc9897