lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 1 Apr 2022 10:33:23 +0300
From:   Denis Efremov <denis.e.efremov@...cle.com>
To:     Eric Dumazet <eric.dumazet@...il.com>,
        "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Cc:     netdev <netdev@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Vlad Buslov <vladbu@...lanox.com>,
        Jiri Pirko <jiri@...lanox.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH net] net: sched: fix use-after-free in tc_new_tfilter()

Hi,

On 1/31/22 20:20, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@...gle.com>
> 
> Whenever tc_new_tfilter() jumps back to replay: label,
> we need to make sure @q and @chain local variables are cleared again,
> or risk use-after-free as in [1]
> 
> For consistency, apply the same fix in tc_ctl_chain()
> 
> BUG: KASAN: use-after-free in mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581

> 
> Fixes: 470502de5bdb ("net: sched: unlock rules update API")

Could you please recheck the Fixes commit?
470502de5bdb commit open codes for tcf_block_find function.

> -	struct Qdisc *q = NULL;
> +	struct Qdisc *q;
>  	struct tcf_chain_info chain_info;
> -	struct tcf_chain *chain = NULL;
> +	struct tcf_chain *chain;
>  	struct tcf_block *block;
>  	struct tcf_proto *tp;
>  	unsigned long cl;
> @@ -1976,6 +1976,8 @@ static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
>  	tp = NULL;
>  	cl = 0;
>  	block = NULL;
> +	q = NULL;
> +	chain = NULL;
>  	flags = 0;
>  
>  	if (prio == 0) {

I'm not 100% sure but it looks like the error could be introduced by the commit
7960d1daf278 ("net: sched: use block index as a handle instead of qdisc when block is shared")

This affects linux-4.19.y backporting.

I'm checking it because CVE-2022-1055 was assigned to the fix.

Thanks,
Denis Efremov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ