From: Denis Efremov <denis.e.efremov@oracle.com>
To: Eric Dumazet <eric.dumazet@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>
Cc: netdev <netdev@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>,
Vlad Buslov <vladbu@mellanox.com>, Jiri Pirko <jiri@mellanox.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
syzbot <syzkaller@googlegroups.com>
Subject: Re: [PATCH net] net: sched: fix use-after-free in tc_new_tfilter()
Date: Fri, 1 Apr 2022 10:33:23 +0300 [thread overview]
Message-ID: <7c6d4b3c-10b9-1801-f3da-a6f01a81a70c@oracle.com> (raw)
In-Reply-To: <20220131172018.3704490-1-eric.dumazet@gmail.com>
Hi,
On 1/31/22 20:20, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> Whenever tc_new_tfilter() jumps back to replay: label,
> we need to make sure @q and @chain local variables are cleared again,
> or risk use-after-free as in [1]
>
> For consistency, apply the same fix in tc_ctl_chain()
>
> BUG: KASAN: use-after-free in mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581
>
> Fixes: 470502de5bdb ("net: sched: unlock rules update API")
Could you please recheck the Fixes commit?
470502de5bdb commit open codes for tcf_block_find function.
> - struct Qdisc *q = NULL;
> + struct Qdisc *q;
> struct tcf_chain_info chain_info;
> - struct tcf_chain *chain = NULL;
> + struct tcf_chain *chain;
> struct tcf_block *block;
> struct tcf_proto *tp;
> unsigned long cl;
> @@ -1976,6 +1976,8 @@ static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
> tp = NULL;
> cl = 0;
> block = NULL;
> + q = NULL;
> + chain = NULL;
> flags = 0;
>
> if (prio == 0) {
I'm not 100% sure but it looks like the error could be introduced by the commit
7960d1daf278 ("net: sched: use block index as a handle instead of qdisc when block is shared")
This affects linux-4.19.y backporting.
I'm checking it because CVE-2022-1055 was assigned to the fix.
Thanks,
Denis Efremov
prev parent reply other threads:[~2022-04-01 7:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 17:20 [PATCH net] net: sched: fix use-after-free in tc_new_tfilter() Eric Dumazet
2022-01-31 18:53 ` Vlad Buslov
2022-01-31 19:08 ` Eric Dumazet
2022-01-31 19:28 ` Vlad Buslov
2022-01-31 19:31 ` Eric Dumazet
2022-01-31 19:36 ` Vlad Buslov
2022-02-02 4:20 ` patchwork-bot+netdevbpf
2022-04-01 7:33 ` Denis Efremov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7c6d4b3c-10b9-1801-f3da-a6f01a81a70c@oracle.com \
--to=denis.e.efremov@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=jiri@mellanox.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=vladbu@mellanox.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.