Blob Blame History Raw
From: Artem Savkov <asavkov@redhat.com>
Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable
Date: Mon, 30 Aug 2021 17:33:51 +0200

Kernels:
3.10.0-1160.el7
3.10.0-1160.2.1.el7
3.10.0-1160.2.2.el7
3.10.0-1160.6.1.el7
3.10.0-1160.11.1.el7
3.10.0-1160.15.2.el7
3.10.0-1160.21.1.el7
3.10.0-1160.24.1.el7
3.10.0-1160.25.1.el7
3.10.0-1160.31.1.el7
3.10.0-1160.36.2.el7
3.10.0-1160.41.1.el7

Changes since last build:
arches: x86_64 ppc64le
cls_route.o: changed function: route4_change
---------------------------

Kernels:
3.10.0-1160.41.1.el7

Modifications: none
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251

commit f4e1814eb56167451ddd819fccb951178f97660b
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Tue Aug 17 12:21:33 2021 +0200

    net_sched: cls_route: remove the right filter from hashtable

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926

    commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359
    Author: Cong Wang <xiyou.wangcong@gmail.com>
    Date:   Fri Mar 13 22:29:54 2020 -0700

        net_sched: cls_route: remove the right filter from hashtable

        route4_change() allocates a new filter and copies values from
        the old one. After the new filter is inserted into the hash
        table, the old filter should be removed and freed, as the final
        step of the update.

        However, the current code mistakenly removes the new one. This
        looks apparently wrong to me, and it causes double "free" and
        use-after-free too, as reported by syzbot.

        Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
        Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
        Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
        Fixes: 1109c00547fc ("net: sched: RCU cls_route")
        Cc: Jamal Hadi Salim <jhs@mojatatu.com>
        Cc: Jiri Pirko <jiri@resnulli.us>
        Cc: John Fastabend <john.fastabend@gmail.com>
        Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
        Signed-off-by: David S. Miller <davem@davemloft.net>

    Signed-off-by: Ivan Vecera <ivecera@redhat.com>

Signed-off-by: Artem Savkov <asavkov@redhat.com>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 net/sched/cls_route.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index 7bd464e8d084..2fed29fa504e 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
 			fp = &b->ht[h];
 			for (pfp = rtnl_dereference(*fp); pfp;
 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
-				if (pfp == f) {
-					*fp = f->next;
+				if (pfp == fold) {
+					rcu_assign_pointer(*fp, fold->next);
 					break;
 				}
 			}
-- 
2.31.1