mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 23:24:50 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/core
History
Paolo Abeni ddd49cbbd4 net: fix UaF in netns ops registration error path 
[ Upstream commit 71ab9c3e22 ]

If net_assign_generic() fails, the current error path in ops_init() tries
to clear the gen pointer slot. Anyway, in such error path, the gen pointer
itself has not been modified yet, and the existing and accessed one is
smaller than the accessed index, causing an out-of-bounds error:

 BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320
 Write of size 8 at addr ffff888109124978 by task modprobe/1018

 CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x6a/0x9f
  print_address_description.constprop.0+0x86/0x2b5
  print_report+0x11b/0x1fb
  kasan_report+0x87/0xc0
  ops_init+0x2de/0x320
  register_pernet_operations+0x2e4/0x750
  register_pernet_subsys+0x24/0x40
  tcf_register_action+0x9f/0x560
  do_one_initcall+0xf9/0x570
  do_init_module+0x190/0x650
  load_module+0x1fa5/0x23c0
  __do_sys_finit_module+0x10d/0x1b0
  do_syscall_64+0x58/0x80
  entry_SYSCALL_64_after_hwframe+0x72/0xdc
 RIP: 0033:0x7f42518f778d
 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
       89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
       ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48
 RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
 RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d
 RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003
 RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
 R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000
  </TASK>

This change addresses the issue by skipping the gen pointer
de-reference in the mentioned error-path.

Found by code inspection and verified with explicit error injection
on a kasan-enabled kernel.

Fixes: d266935ac4 ("net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/cec4e0f3bb2c77ac03a6154a8508d3930beb5f0f.1674154348.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-02-06 07:52:45 +01:00
..
bpf_sk_storage.c
datagram.c udp: fix skb_copy_and_csum_datagram with odd segment sizes 2021-02-17 10:35:19 +01:00
datagram.h
dev.c net: add atomic_long_t to net_device_stats fields 2023-01-18 11:41:37 +01:00
dev_addr_lists.c
dev_ioctl.c net: fix dev_ifsioc_locked() race condition 2021-03-07 12:20:43 +01:00
devlink.c devlink: Fix use-after-free after a failed reload 2022-08-25 11:18:23 +02:00
drop_monitor.c drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit 2022-02-23 11:59:58 +01:00
dst.c
dst_cache.c
ethtool.c net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats 2023-01-24 07:17:58 +01:00
failover.c
fib_notifier.c
fib_rules.c ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:01:13 +01:00
filter.c bpf: pull before calling skb_postpull_rcsum() 2023-01-18 11:41:56 +01:00
flow_dissector.c net/sched: flower: fix parsing of ethertype following VLAN header 2022-04-20 09:19:34 +02:00
flow_offload.c
gen_estimator.c net_sched: gen_estimator: support large ewma log 2021-02-07 15:35:47 +01:00
gen_stats.c
gro_cells.c
hwbm.c
link_watch.c net: linkwatch: fix failure to restore device state across suspend/resume 2021-08-18 08:57:00 +02:00
lwt_bpf.c bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook 2022-05-09 09:03:24 +02:00
lwtunnel.c lwtunnel: Validate RTA_ENCAP_TYPE attribute length 2022-01-11 15:23:32 +01:00
Makefile
neighbour.c net, neigh: Fix null-ptr-deref in neigh_table_clear() 2022-11-10 17:57:52 +01:00
net-procfs.c net-procfs: show net devices bound packet types 2022-02-01 17:24:37 +01:00
net-sysfs.c net-sysfs: add check for netdevice being present to speed_show 2022-03-16 13:21:46 +01:00
net-sysfs.h
net-traces.c
net_namespace.c net: fix UaF in netns ops registration error path 2023-02-06 07:52:45 +01:00
netclassid_cgroup.c
netevent.c
netpoll.c net: Have netpoll bring-up DSA management interface 2020-11-24 13:28:57 +01:00
netprio_cgroup.c
page_pool.c mm: fix struct page layout on 32-bit systems 2021-05-19 10:08:31 +02:00
pktgen.c pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() 2021-03-07 12:20:44 +01:00
ptp_classifier.c
request_sock.c
rtnetlink.c rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() 2022-02-05 12:35:37 +01:00
scm.c
secure_seq.c tcp: Fix data-races around sysctl knobs related to SYN option. 2022-07-29 17:14:14 +02:00
skbuff.c skbuff: Account for tail adjustment during pull operations 2023-01-18 11:41:32 +01:00
skmsg.c bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full 2022-04-15 14:18:16 +02:00
sock.c net: Fix a data-race around sysctl_net_busy_read. 2022-09-05 10:27:42 +02:00
sock_diag.c
sock_map.c bpf, sockmap: fix race in sock_map_free() 2023-01-18 11:41:09 +01:00
sock_reuseport.c udp: Prevent reuseport_select_sock from reading uninitialized socks 2021-01-23 15:57:56 +01:00
stream.c net: stream: purge sk_error_queue in sk_stream_kill_queues() 2023-01-18 11:41:33 +01:00
sysctl_net_core.c net: Fix data-races around weight_p and dev_weight_[rt]x_bias. 2022-09-05 10:27:41 +02:00
timestamping.c
tso.c
utils.c
xdp.c