lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAM0EoMnw_4Z6tGC8=JkGKuCFTkJHt5JOFj56+_Z6GDExAMbugQ@mail.gmail.com>
Date: Wed, 31 May 2023 11:05:25 -0400
From: Jamal Hadi Salim <jhs@...atatu.com>
To: Lee Jones <lee@...nel.org>
Cc: xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net, 
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, 
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org, stable@...nel.org
Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak
 leading to overflow

On Wed, May 31, 2023 at 10:16 AM Lee Jones <lee@...nel.org> wrote:
>
> In the event of a failure in tcf_change_indev(), u32_set_parms() will
> immediately return without decrementing the recently incremented
> reference counter.  If this happens enough times, the counter will
> rollover and the reference freed, leading to a double free which can be
> used to do 'bad things'.
>
> Cc: stable@...nel.org # v4.14+
> Signed-off-by: Lee Jones <lee@...nel.org>
> ---
>  net/sched/cls_u32.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
> index 4e2e269f121f8..fad61ca5e90bf 100644
> --- a/net/sched/cls_u32.c
> +++ b/net/sched/cls_u32.c
> @@ -762,8 +762,11 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp,
>         if (tb[TCA_U32_INDEV]) {
>                 int ret;
>                 ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
> -               if (ret < 0)
> +               if (ret < 0) {
> +                       if (tb[TCA_U32_LINK])
> +                               n->ht_down->refcnt--;
>                         return -EINVAL;
> +               }
>                 n->ifindex = ret;
>         }
>         return 0;

The spirit of the patch looks right I dont think this fully solves the
issue you state.
My suggestion: Move the if (tb[TCA_U32_INDEV])  above the if
(tb[TCA_U32_LINK]) {
Did you see this in practice or you found it by eyeballing the code?
Can you also add a tdc test for it? There are simple ways to create
the scenario.

cheers,
jamal
> 2.41.0.rc0.172.g3f132b7071-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ