| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230531141556.1637341-1-lee@kernel.org>
Date: Wed, 31 May 2023 15:15:56 +0100
From: Lee Jones <lee@...nel.org>
To: lee@...nel.org,
jhs@...atatu.com,
xiyou.wangcong@...il.com,
jiri@...nulli.us,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com
Cc: linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
stable@...nel.org
Subject: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow
In the event of a failure in tcf_change_indev(), u32_set_parms() will
immediately return without decrementing the recently incremented
reference counter. If this happens enough times, the counter will
rollover and the reference freed, leading to a double free which can be
used to do 'bad things'.
Cc: stable@...nel.org # v4.14+
Signed-off-by: Lee Jones <lee@...nel.org>
---
net/sched/cls_u32.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 4e2e269f121f8..fad61ca5e90bf 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -762,8 +762,11 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
if (tb[TCA_U32_INDEV]) {
int ret;
ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
- if (ret < 0)
+ if (ret < 0) {
+ if (tb[TCA_U32_LINK])
+ n->ht_down->refcnt--;
return -EINVAL;
+ }
n->ifindex = ret;
}
return 0;
--
2.41.0.rc0.172.g3f132b7071-goog
Powered by blists - more mailing lists