From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4A1EC19F2D for ; Tue, 9 Aug 2022 19:18:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344375AbiHITS3 (ORCPT ); Tue, 9 Aug 2022 15:18:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348641AbiHITRN (ORCPT ); Tue, 9 Aug 2022 15:17:13 -0400 Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96EC3F1 for ; Tue, 9 Aug 2022 12:11:55 -0700 (PDT) Received: by mail-ot1-x32f.google.com with SMTP id k29-20020a9d701d000000b0061c99652493so9112958otj.8 for ; Tue, 09 Aug 2022 12:11:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9siwJIQC3o+zwhpaqmVDPq6puonWJ3yK708h6UiJFdg=; b=QgvKBMm8UoPqyQ2WP3hOgK3xaIB30W863tOgle5E3Kiwc6vM5E6q1uouWu2IkOUCUT wZ1VidX2czSp362XqtPXj7iTEJQVXXY4/vgVPe+e3HADQlaUaqGS5ppJ13N0sdhirBic ZG3woluvGbX/DYyX0WNrhb97ZS8DGtWApNHa47MRWKWZvAPx2M7cViTdLINc8Be08mjX HFA0ZRMJ5Eh7j7BBCUIx/lvI7p9JlyL68gS1ga6OcrDddr3ZXnIxtxlYUV3EaUt+6fnD iXC57N+GzkSH/9PQH7i/VD2H71w//DRuRIFKKcLF33iMrgJWAr7CBGin+vtZVn30RpCb mcnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9siwJIQC3o+zwhpaqmVDPq6puonWJ3yK708h6UiJFdg=; b=fJ/0ThUIDXMc3JoaW5xxWJGeM3GtE7dWudGUBv6+hVoLhFns+JY0Xikfbegk2YUgfM xDtmWNiun2xviA4U8ZQvQqDZLC+Ok1+0mmDSDgf//oMwNtJeWbIJCNXR2VW+fneBY8hb ZyzSHH7VVq1L0mH/868jkr1lFYunM/wALs+6+gTQviwbUAjZ0uNOWgX9PrBg+4HJsIIu lGGbHlE+eiPvFZHLqnar4t8ve4L/RNaagBao/7dHp4qgS8/i1QivN6cbOSMoYdgkCjs0 f0ntrQWMgAW4SqF6QeU7F1LHwqsRClSOTuZLQYAOTaoX7uTMzP4KCC4X8ElfsSlHiRgj Pq0w== X-Gm-Message-State: ACgBeo0vMpe2vJ4AjIUHbbfmTIZYigmUL8XAmCkGoTQSsVktPKAF9VCH lz8xFlBEK3YwbDQ8hu8FCpVWO0UO2fJUJ5ByuSM5lg== X-Google-Smtp-Source: AA6agR5iAlBylvFaT44jwWOpEWd8XAtcToZBgN7hOdZtnHKUmmK59qh/j9o8EziN9T39wzzH/QTr3wEy3bcHZ0ksw1E= X-Received: by 2002:a05:6830:34a0:b0:636:f7fc:98bb with SMTP id c32-20020a05683034a000b00636f7fc98bbmr2964393otu.223.1660072314985; Tue, 09 Aug 2022 12:11:54 -0700 (PDT) MIME-Version: 1.0 References: <20220809170518.164662-1-cascardo@canonical.com> In-Reply-To: <20220809170518.164662-1-cascardo@canonical.com> From: Jamal Hadi Salim Date: Tue, 9 Aug 2022 15:11:44 -0400 Message-ID: Subject: Re: [PATCH] net_sched: cls_route: remove from list when handle is 0 To: Thadeu Lima de Souza Cascardo Cc: netdev@vger.kernel.org, Cong Wang , Jiri Pirko , Zhenpeng Lin , Kamal Mostafa , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Tue, Aug 9, 2022 at 1:06 PM Thadeu Lima de Souza Cascardo wrote: > > When a route filter is replaced and the old filter has a 0 handle, the old > one won't be removed from the hashtable, while it will still be freed. > > The test was there since before commit 1109c00547fc ("net: sched: RCU > cls_route"), when a new filter was not allocated when there was an old one. > The old filter was reused and the reinserting would only be necessary if an > old filter was replaced. That was still wrong for the same case where the > old handle was 0. > > Remove the old filter from the list independently from its handle value. > > This fixes CVE-2022-2588, also reported as ZDI-CAN-17440. > > Reported-by: Zhenpeng Lin > Signed-off-by: Thadeu Lima de Souza Cascardo > Reviewed-by: Kamal Mostafa > Cc: > Cc: Jamal Hadi Salim Acked-by: Jamal Hadi Salim cheers, jamal