rpms / kpatch-patch-3_10_0-1160_6_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2021-3715.patch

c7
  1.   c7
  2.   SOURCES
  3.   CVE-2021-3715.patch
Blob History Raw
feeec8 
From: Artem Savkov <asavkov@redhat.com>
feeec8 
Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable
feeec8 
Date: Mon, 30 Aug 2021 17:33:51 +0200
feeec8
feeec8 
Kernels:
feeec8 
3.10.0-1160.el7
feeec8 
3.10.0-1160.2.1.el7
feeec8 
3.10.0-1160.2.2.el7
feeec8 
3.10.0-1160.6.1.el7
feeec8 
3.10.0-1160.11.1.el7
feeec8 
3.10.0-1160.15.2.el7
feeec8 
3.10.0-1160.21.1.el7
feeec8 
3.10.0-1160.24.1.el7
feeec8 
3.10.0-1160.25.1.el7
feeec8 
3.10.0-1160.31.1.el7
feeec8 
3.10.0-1160.36.2.el7
feeec8 
3.10.0-1160.41.1.el7
feeec8
feeec8 
Changes since last build:
feeec8 
arches: x86_64 ppc64le
feeec8 
cls_route.o: changed function: route4_change
feeec8 
---------------------------
feeec8
feeec8 
Kernels:
feeec8 
3.10.0-1160.el7
feeec8 
3.10.0-1160.2.1.el7
feeec8 
3.10.0-1160.2.2.el7
feeec8 
3.10.0-1160.6.1.el7
feeec8 
3.10.0-1160.11.1.el7
feeec8 
3.10.0-1160.15.2.el7
feeec8 
3.10.0-1160.21.1.el7
feeec8 
3.10.0-1160.24.1.el7
feeec8 
3.10.0-1160.25.1.el7
feeec8 
3.10.0-1160.31.1.el7
feeec8 
3.10.0-1160.36.2.el7
feeec8
feeec8 
Modifications: none
feeec8 
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251
feeec8
feeec8 
commit f4e1814eb56167451ddd819fccb951178f97660b
feeec8 
Author: Ivan Vecera <ivecera@redhat.com>
feeec8 
Date:   Tue Aug 17 12:21:33 2021 +0200
feeec8
feeec8 
    net_sched: cls_route: remove the right filter from hashtable
feeec8
feeec8 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926
feeec8
feeec8 
    commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359
feeec8 
    Author: Cong Wang <xiyou.wangcong@gmail.com>
feeec8 
    Date:   Fri Mar 13 22:29:54 2020 -0700
feeec8
feeec8 
        net_sched: cls_route: remove the right filter from hashtable
feeec8
feeec8 
        route4_change() allocates a new filter and copies values from
feeec8 
        the old one. After the new filter is inserted into the hash
feeec8 
        table, the old filter should be removed and freed, as the final
feeec8 
        step of the update.
feeec8
feeec8 
        However, the current code mistakenly removes the new one. This
feeec8 
        looks apparently wrong to me, and it causes double "free" and
feeec8 
        use-after-free too, as reported by syzbot.
feeec8
feeec8 
        Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
feeec8 
        Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
feeec8 
        Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
feeec8 
        Fixes: 1109c00547fc ("net: sched: RCU cls_route")
feeec8 
        Cc: Jamal Hadi Salim <jhs@mojatatu.com>
feeec8 
        Cc: Jiri Pirko <jiri@resnulli.us>
feeec8 
        Cc: John Fastabend <john.fastabend@gmail.com>
feeec8 
        Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
feeec8 
        Signed-off-by: David S. Miller <davem@davemloft.net>
feeec8
feeec8 
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
feeec8
feeec8 
Signed-off-by: Artem Savkov <asavkov@redhat.com>
feeec8 
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
feeec8 
---
feeec8 
 net/sched/cls_route.c | 4 ++--
feeec8 
 1 file changed, 2 insertions(+), 2 deletions(-)
feeec8
feeec8 
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
feeec8 
index 7bd464e8d084..2fed29fa504e 100644
feeec8 
--- a/net/sched/cls_route.c
feeec8 
+++ b/net/sched/cls_route.c
feeec8 
@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
feeec8 
 			fp = &b->ht[h];
feeec8 
 			for (pfp = rtnl_dereference(*fp); pfp;
feeec8 
 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
feeec8 
-				if (pfp == f) {
feeec8 
-					*fp = f->next;
feeec8 
+				if (pfp == fold) {
feeec8 
+					rcu_assign_pointer(*fp, fold->next);
feeec8 
 					break;
feeec8 
 				}
feeec8 
 			}
feeec8 
--
feeec8 
2.31.1
feeec8
feeec8

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation