lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230531141556.1637341-1-lee@kernel.org> Date: Wed, 31 May 2023 15:15:56 +0100 From: Lee Jones <lee@...nel.org> To: lee@...nel.org, jhs@...atatu.com, xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org, stable@...nel.org Subject: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. Cc: stable@...nel.org # v4.14+ Signed-off-by: Lee Jones <lee@...nel.org> --- net/sched/cls_u32.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 4e2e269f121f8..fad61ca5e90bf 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -762,8 +762,11 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, if (tb[TCA_U32_INDEV]) { int ret; ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack); - if (ret < 0) + if (ret < 0) { + if (tb[TCA_U32_LINK]) + n->ht_down->refcnt--; return -EINVAL; + } n->ifindex = ret; } return 0; -- 2.41.0.rc0.172.g3f132b7071-goog
Powered by blists - more mailing lists