Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1011911rwd; Wed, 31 May 2023 08:19:33 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5JWN/LskJ5EtDS/PTkZ1cq0RRcAE5W5H77hM+ElM8MOb/s6skB8x2cXW3dlVUv87s6iVJS X-Received: by 2002:a17:90b:3546:b0:253:2816:2a12 with SMTP id lt6-20020a17090b354600b0025328162a12mr6296475pjb.14.1685546372967; Wed, 31 May 2023 08:19:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685546372; cv=none; d=google.com; s=arc-20160816; b=gcjJovo1Ju5oKjxNxrHNOEQll+jovwsXkrnqj+Y46+yJ+XMn2w0+g/T0v3aABEPHCz /TM7vwLpj2Fk5BRi5uj9w/GSLLVL+ad/lCTgn05qImRmLfB0J0VPk7fgtLQ3WBLcPuzh yRm27IMu9FFcluJyp4KZwhIw/HKRVPoIsxkYATvb7locKTQRQNObwyz2pkN2oV2Sa24S grtWtxGhUF1CJFtbuiDgB0TluTFBzpPY0iC+vW7wKuff1Pzl/9Q1llALPLk055LNcvU6 4tTnsm7qOKX9HreNyH6C3aMFcifRzvmj3dh3lspwcFTp/Irzpa/9S5f7Wi5O4yIX0g5C eVCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=H9hQYHnZva8RSd0ItZzDKoX0R76IANPL/LygsCiCcfM=; b=muHesxeQXsGOR7j6QNGOXSZqrO9ng4spKaNRSmTUvYp+xITfA8sIkQIvH0V2JjoOoP dGC5WcXEYLkHx2fGGOimGdnYXRlE31L5IqSv9T2TRsXzaEmwSxRlQ3cEkhlnZ4CkZCro bjrOhyezKsurWMMSRflkoKIiQCT9bQ2oftJHwr5kFGTCQhLrr5oxdIwCZm0e+MYbUg+F ia9ozNn9JEEhTay+XoTAoF2mIzIff+oNAW94nri8KMZgIRnbf+y+8S2ytQhc3ot1MR8w A4XtVyXtaq/Px4A83AtOByU6tBbXTy5JHpD8vxliDYPmtQABCkW2YH+8rrXbAKoNIP8N 9srA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=5eyGCrFR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d25-20020a637359000000b005347fcb7853si1033744pgn.140.2023.05.31.08.19.20; Wed, 31 May 2023 08:19:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=5eyGCrFR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233960AbjEaPEE (ORCPT + 99 others); Wed, 31 May 2023 11:04:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233879AbjEaPDz (ORCPT ); Wed, 31 May 2023 11:03:55 -0400 Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97F16133 for ; Wed, 31 May 2023 08:03:50 -0700 (PDT) Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-3f606e111d3so68205e9.1 for ; Wed, 31 May 2023 08:03:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1685545429; x=1688137429; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=H9hQYHnZva8RSd0ItZzDKoX0R76IANPL/LygsCiCcfM=; b=5eyGCrFRA0SL7FzVYaBQBJ2c8rAMnCHGbZbxofJSdWYn2RGso3EZe9+EkK/66lPwO6 Iqkjxs1Z/wsp/BJMjYgtx7qNFvjln+N+gOdsgizXyHLaMvugYES3hJhblFygpuNU3dBK /rkufjynWgFactLBpWmY1gI2TdNk5gBTjLL1IcIFvlTBqQx1x7UhpM3ZgDbiWyCc+umi 8mT7thH79odxYbf+z7xCjuY8T+f0NRrw+w4Yf0uEp2Z9YXaRoiq533RL8cCe+FwjH5Gd kko7M2E/dnpLMQhNoYP4itS4DOXOBeGc2UE44rlrN49637vqEg+778LGtVyqQds6j7tb dCyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685545429; x=1688137429; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H9hQYHnZva8RSd0ItZzDKoX0R76IANPL/LygsCiCcfM=; b=IRSgetw1hVOaf8zi33WxpoNB4qGeTVTtAieoY4Z+yMC00WZhN1Zyrc0Bvrx8iKTdjw aeSLypYxVZadzVSuhJAGD3PC1csZl9qwn912Xp5DgY0IrCks5kFFc7oA7Bc8VfVVN6ck Kw4wiGxYdpa//r5xx26nFV4vZ2CHJTlwuXlRp8w7fTQvPipmw1i6+kt06XCaI7iaeN6c 0XF1BaBnXRabSn++cT1hldQMis35K6N5mhi06PVcjwJB9772yjgqTT8G4JjSTWsw1+dt SqDYOkglsPKMSVKxt9s0soTvNEmGNf2/Hj5RXV0UdOhqmv41++eWw+J4eZxfavE3zbpo 4fxg== X-Gm-Message-State: AC+VfDzzPsNvZUoQdGA4CJxrtHuxRIaVzt63ZYJU3iTw/EsOsa/zEc1f mVWBxvami0przPCMhIJXtI4+nHe16/+Yqcc+vRpMkQ== X-Received: by 2002:a05:600c:4f8d:b0:3f1:9a3d:4f7f with SMTP id n13-20020a05600c4f8d00b003f19a3d4f7fmr132466wmq.1.1685545428875; Wed, 31 May 2023 08:03:48 -0700 (PDT) MIME-Version: 1.0 References: <20230531141556.1637341-1-lee@kernel.org> In-Reply-To: <20230531141556.1637341-1-lee@kernel.org> From: Eric Dumazet Date: Wed, 31 May 2023 17:03:37 +0200 Message-ID: Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow To: Lee Jones Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, stable@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 31, 2023 at 4:16=E2=80=AFPM Lee Jones wrote: > > In the event of a failure in tcf_change_indev(), u32_set_parms() will > immediately return without decrementing the recently incremented > reference counter. If this happens enough times, the counter will > rollover and the reference freed, leading to a double free which can be > used to do 'bad things'. > > Cc: stable@kernel.org # v4.14+ Please add a Fixes: tag. > Signed-off-by: Lee Jones > --- > net/sched/cls_u32.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > index 4e2e269f121f8..fad61ca5e90bf 100644 > --- a/net/sched/cls_u32.c > +++ b/net/sched/cls_u32.c > @@ -762,8 +762,11 @@ static int u32_set_parms(struct net *net, struct tcf= _proto *tp, > if (tb[TCA_U32_INDEV]) { > int ret; > ret =3D tcf_change_indev(net, tb[TCA_U32_INDEV], extack); This call should probably be done earlier in the function, next to tcf_exts_validate_ex() Otherwise we might ask why the tcf_bind_filter() does not need to be undone= . Something like: diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 4e2e269f121f8a301368b9783753e055f5af6a4e..ac957ff2216ae18bcabdd3af3b0= e127447ef8f91 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -718,13 +718,18 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, struct nlattr *est, u32 flags, u32 fl_flags, struct netlink_ext_ack *extack) { - int err; + int err, ifindex =3D -1; err =3D tcf_exts_validate_ex(net, tp, tb, est, &n->exts, flags, fl_flags, extack); if (err < 0) return err; + if (tb[TCA_U32_INDEV]) { + ifindex =3D tcf_change_indev(net, tb[TCA_U32_INDEV], extack= ); + if (ifindex < 0) + return -EINVAL; + } if (tb[TCA_U32_LINK]) { u32 handle =3D nla_get_u32(tb[TCA_U32_LINK]); struct tc_u_hnode *ht_down =3D NULL, *ht_old; @@ -759,13 +764,9 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, tcf_bind_filter(tp, &n->res, base); } - if (tb[TCA_U32_INDEV]) { - int ret; - ret =3D tcf_change_indev(net, tb[TCA_U32_INDEV], extack); - if (ret < 0) - return -EINVAL; - n->ifindex =3D ret; - } + if (ifindex >=3D 0) + n->ifindex =3D ifindex; + return 0; }