From 889eaaeaa5aa88308347b90f53e1bd2301a50dec Mon Sep 17 00:00:00 2001

From: Ryan Sullivan <rysulliv@redhat.com>

Date: Mon, 25 Sep 2023 10:50:48 -0400

Subject: [KPATCH CVE-2023-3609] kpatch fixes for CVE-2023-3609

Kernels:

3.10.0-1160.88.1.el7

3.10.0-1160.90.1.el7

3.10.0-1160.92.1.el7

3.10.0-1160.95.1.el7

3.10.0-1160.99.1.el7

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/59

Approved-by: Yannick Cote (@ycote1)

Changes since last build:

[x86_64]:

cls_u32.o: changed function: u32_set_parms.isra.21

nf_tables_api.o: changed function: nf_tables_newsetelem

nf_tables_api.o: changed function: nf_tables_set_lookup

nf_tables_api.o: changed function: nf_tables_set_lookup_byid

nft_byteorder.o: changed function: nft_byteorder_eval

nft_dynset.o: changed function: nft_dynset_init

nft_lookup.o: changed function: nft_lookup_init

[ppc64le]:

cls_u32.o: changed function: u32_set_parms.isra.21

nf_tables_api.o: changed function: nf_tables_delset

nf_tables_api.o: changed function: nf_tables_dump_set

nf_tables_api.o: changed function: nf_tables_getset

nf_tables_api.o: changed function: nf_tables_getsetelem

nf_tables_api.o: changed function: nf_tables_newsetelem

nf_tables_api.o: changed function: nf_tables_set_lookup

nf_tables_api.o: changed function: nf_tables_set_lookup_byid

nft_byteorder.o: changed function: nft_byteorder_eval

nft_dynset.o: changed function: nft_dynset_init

nft_lookup.o: changed function: nft_lookup_init

---------------------------

Modifications: none

commit 867fb59af8011c735d38c08d6e6ecef67265cb4e

Author: Davide Caratti <dcaratti@redhat.com>

Date:   Tue Aug 8 11:18:31 2023 +0200

    net/sched: cls_u32: Fix reference counter leak leading to overflow

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225486

    CVE: CVE-2023-3609

    Upstream Status: net.git commit 04c55383fa56

    Conflicts:

      - net/sched/cls_u32.c: we still have CONFIG_NET_CLS_IND in rhel7,

        because of missing upstream commit a51486266c3b ("net: sched: remove

        NET_CLS_IND config option"), so the patch has been manually reworked

        to preserve use of #ifdef CONFIG_NET_CLS_IND

      - we also don't have extacks because of missing backport of upstream

        commit 4b981dbc2272 ("net: sched: cls_u32: add extack support"), so

        the call to tcf_change_indev() has no 'extack' parameter

    commit 04c55383fa5689357bcdd2c8036725a55ed632bc

    Author: Lee Jones <lee@kernel.org>

    Date:   Thu Jun 8 08:29:03 2023 +0100

        net/sched: cls_u32: Fix reference counter leak leading to overflow

        In the event of a failure in tcf_change_indev(), u32_set_parms() will

        immediately return without decrementing the recently incremented

        reference counter.  If this happens enough times, the counter will

        rollover and the reference freed, leading to a double free which can be

        used to do 'bad things'.

        In order to prevent this, move the point of possible failure above the

        point where the reference counter is incremented.  Also save any

        meaningful return values to be applied to the return data at the

        appropriate point in time.

        This issue was caught with KASAN.

        Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")

        Suggested-by: Eric Dumazet <edumazet@google.com>

        Signed-off-by: Lee Jones <lee@kernel.org>

        Reviewed-by: Eric Dumazet <edumazet@google.com>

        Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>

        Signed-off-by: David S. Miller <davem@davemloft.net>

    Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>

---

 net/sched/cls_u32.c | 21 ++++++++++++++-------

 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c

index 269dcb08fed5..cc9398e10451 100644

--- a/net/sched/cls_u32.c

+++ b/net/sched/cls_u32.c

@@ -768,11 +768,22 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,

 			 struct nlattr *est, bool ovr)

 {

 	int err;

+#ifdef CONFIG_NET_CLS_IND

+	int ifindex = -1;

+#endif

 	err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr);

 	if (err < 0)

 		return err;

+#ifdef CONFIG_NET_CLS_IND

+	if (tb[TCA_U32_INDEV]) {

+		ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV]);

+		if (ifindex < 0)

+			return -EINVAL;

+	}

+#endif

+

 	if (tb[TCA_U32_LINK]) {

 		u32 handle = nla_get_u32(tb[TCA_U32_LINK]);

 		struct tc_u_hnode *ht_down = NULL, *ht_old;

@@ -800,14 +811,10 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,

 	}

 #ifdef CONFIG_NET_CLS_IND

-	if (tb[TCA_U32_INDEV]) {

-		int ret;

-		ret = tcf_change_indev(net, tb[TCA_U32_INDEV]);

-		if (ret < 0)

-			return -EINVAL;

-		n->ifindex = ret;

-	}

+	if (ifindex >= 0)

+		n->ifindex = ifindex;

 #endif

+

 	return 0;

 }

-- 

2.40.1