|
 |
e7c1b7 |
From 889eaaeaa5aa88308347b90f53e1bd2301a50dec Mon Sep 17 00:00:00 2001
|
|
|
e7c1b7 |
From: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
e7c1b7 |
Date: Mon, 25 Sep 2023 10:50:48 -0400
|
|
|
e7c1b7 |
Subject: [KPATCH CVE-2023-3609] kpatch fixes for CVE-2023-3609
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
Kernels:
|
|
|
e7c1b7 |
3.10.0-1160.88.1.el7
|
|
|
e7c1b7 |
3.10.0-1160.90.1.el7
|
|
|
e7c1b7 |
3.10.0-1160.92.1.el7
|
|
|
e7c1b7 |
3.10.0-1160.95.1.el7
|
|
|
e7c1b7 |
3.10.0-1160.99.1.el7
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/59
|
|
|
e7c1b7 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
e7c1b7 |
Changes since last build:
|
|
|
e7c1b7 |
[x86_64]:
|
|
|
e7c1b7 |
cls_u32.o: changed function: u32_set_parms.isra.21
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_delsetelem
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_newsetelem
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_set_lookup
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_set_lookup_byid
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nft_validate_register_store
|
|
|
e7c1b7 |
nft_byteorder.o: changed function: nft_byteorder_eval
|
|
|
e7c1b7 |
nft_dynset.o: changed function: nft_dynset_init
|
|
|
e7c1b7 |
nft_lookup.o: changed function: nft_lookup_init
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
[ppc64le]:
|
|
|
e7c1b7 |
cls_u32.o: changed function: u32_set_parms.isra.21
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_bind_check_setelem
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_delset
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_delsetelem
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_dump_set
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_getset
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_getsetelem
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_newset
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_newsetelem
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_set_lookup
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nf_tables_set_lookup_byid
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nft_add_set_elem
|
|
|
e7c1b7 |
nf_tables_api.o: changed function: nft_validate_register_store
|
|
|
e7c1b7 |
nft_byteorder.o: changed function: nft_byteorder_eval
|
|
|
e7c1b7 |
nft_dynset.o: changed function: nft_dynset_init
|
|
|
e7c1b7 |
nft_lookup.o: changed function: nft_lookup_init
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
---------------------------
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
Modifications: none
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
commit 867fb59af8011c735d38c08d6e6ecef67265cb4e
|
|
|
e7c1b7 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
e7c1b7 |
Date: Tue Aug 8 11:18:31 2023 +0200
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
net/sched: cls_u32: Fix reference counter leak leading to overflow
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225486
|
|
|
e7c1b7 |
CVE: CVE-2023-3609
|
|
|
e7c1b7 |
Upstream Status: net.git commit 04c55383fa56
|
|
|
e7c1b7 |
Conflicts:
|
|
|
e7c1b7 |
- net/sched/cls_u32.c: we still have CONFIG_NET_CLS_IND in rhel7,
|
|
|
e7c1b7 |
because of missing upstream commit a51486266c3b ("net: sched: remove
|
|
|
e7c1b7 |
NET_CLS_IND config option"), so the patch has been manually reworked
|
|
|
e7c1b7 |
to preserve use of #ifdef CONFIG_NET_CLS_IND
|
|
|
e7c1b7 |
- we also don't have extacks because of missing backport of upstream
|
|
|
e7c1b7 |
commit 4b981dbc2272 ("net: sched: cls_u32: add extack support"), so
|
|
|
e7c1b7 |
the call to tcf_change_indev() has no 'extack' parameter
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
commit 04c55383fa5689357bcdd2c8036725a55ed632bc
|
|
|
e7c1b7 |
Author: Lee Jones <lee@kernel.org>
|
|
|
e7c1b7 |
Date: Thu Jun 8 08:29:03 2023 +0100
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
net/sched: cls_u32: Fix reference counter leak leading to overflow
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
In the event of a failure in tcf_change_indev(), u32_set_parms() will
|
|
|
e7c1b7 |
immediately return without decrementing the recently incremented
|
|
|
e7c1b7 |
reference counter. If this happens enough times, the counter will
|
|
|
e7c1b7 |
rollover and the reference freed, leading to a double free which can be
|
|
|
e7c1b7 |
used to do 'bad things'.
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
In order to prevent this, move the point of possible failure above the
|
|
|
e7c1b7 |
point where the reference counter is incremented. Also save any
|
|
|
e7c1b7 |
meaningful return values to be applied to the return data at the
|
|
|
e7c1b7 |
appropriate point in time.
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
This issue was caught with KASAN.
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
|
|
|
e7c1b7 |
Suggested-by: Eric Dumazet <edumazet@google.com>
|
|
|
e7c1b7 |
Signed-off-by: Lee Jones <lee@kernel.org>
|
|
|
e7c1b7 |
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
|
|
e7c1b7 |
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
e7c1b7 |
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
e7c1b7 |
---
|
|
|
e7c1b7 |
net/sched/cls_u32.c | 21 ++++++++++++++-------
|
|
|
e7c1b7 |
1 file changed, 14 insertions(+), 7 deletions(-)
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
|
|
|
e7c1b7 |
index 269dcb08fed5..cc9398e10451 100644
|
|
|
e7c1b7 |
--- a/net/sched/cls_u32.c
|
|
|
e7c1b7 |
+++ b/net/sched/cls_u32.c
|
|
|
e7c1b7 |
@@ -768,11 +768,22 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
|
|
|
e7c1b7 |
struct nlattr *est, bool ovr)
|
|
|
e7c1b7 |
{
|
|
|
e7c1b7 |
int err;
|
|
|
e7c1b7 |
+#ifdef CONFIG_NET_CLS_IND
|
|
|
e7c1b7 |
+ int ifindex = -1;
|
|
|
e7c1b7 |
+#endif
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr);
|
|
|
e7c1b7 |
if (err < 0)
|
|
|
e7c1b7 |
return err;
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
+#ifdef CONFIG_NET_CLS_IND
|
|
|
e7c1b7 |
+ if (tb[TCA_U32_INDEV]) {
|
|
|
e7c1b7 |
+ ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV]);
|
|
|
e7c1b7 |
+ if (ifindex < 0)
|
|
|
e7c1b7 |
+ return -EINVAL;
|
|
|
e7c1b7 |
+ }
|
|
|
e7c1b7 |
+#endif
|
|
|
e7c1b7 |
+
|
|
|
e7c1b7 |
if (tb[TCA_U32_LINK]) {
|
|
|
e7c1b7 |
u32 handle = nla_get_u32(tb[TCA_U32_LINK]);
|
|
|
e7c1b7 |
struct tc_u_hnode *ht_down = NULL, *ht_old;
|
|
|
e7c1b7 |
@@ -800,14 +811,10 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
|
|
|
e7c1b7 |
}
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
#ifdef CONFIG_NET_CLS_IND
|
|
|
e7c1b7 |
- if (tb[TCA_U32_INDEV]) {
|
|
|
e7c1b7 |
- int ret;
|
|
|
e7c1b7 |
- ret = tcf_change_indev(net, tb[TCA_U32_INDEV]);
|
|
|
e7c1b7 |
- if (ret < 0)
|
|
|
e7c1b7 |
- return -EINVAL;
|
|
|
e7c1b7 |
- n->ifindex = ret;
|
|
|
e7c1b7 |
- }
|
|
|
e7c1b7 |
+ if (ifindex >= 0)
|
|
|
e7c1b7 |
+ n->ifindex = ifindex;
|
|
|
e7c1b7 |
#endif
|
|
|
e7c1b7 |
+
|
|
|
e7c1b7 |
return 0;
|
|
|
e7c1b7 |
}
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
--
|
|
|
e7c1b7 |
2.40.1
|
|
|
e7c1b7 |
|
|
|
e7c1b7 |
|