mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-05 18:39:59 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Paolo Abeni 12075708f2 net: fix UaF in netns ops registration error path 
[ Upstream commit 71ab9c3e22 ]

If net_assign_generic() fails, the current error path in ops_init() tries
to clear the gen pointer slot. Anyway, in such error path, the gen pointer
itself has not been modified yet, and the existing and accessed one is
smaller than the accessed index, causing an out-of-bounds error:

 BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320
 Write of size 8 at addr ffff888109124978 by task modprobe/1018

 CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x6a/0x9f
  print_address_description.constprop.0+0x86/0x2b5
  print_report+0x11b/0x1fb
  kasan_report+0x87/0xc0
  ops_init+0x2de/0x320
  register_pernet_operations+0x2e4/0x750
  register_pernet_subsys+0x24/0x40
  tcf_register_action+0x9f/0x560
  do_one_initcall+0xf9/0x570
  do_init_module+0x190/0x650
  load_module+0x1fa5/0x23c0
  __do_sys_finit_module+0x10d/0x1b0
  do_syscall_64+0x58/0x80
  entry_SYSCALL_64_after_hwframe+0x72/0xdc
 RIP: 0033:0x7f42518f778d
 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
       89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
       ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48
 RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
 RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d
 RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003
 RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
 R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000
  </TASK>

This change addresses the issue by skipping the gen pointer
de-reference in the mentioned error-path.

Found by code inspection and verified with explicit error injection
on a kasan-enabled kernel.

Fixes: d266935ac4 ("net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/cec4e0f3bb2c77ac03a6154a8508d3930beb5f0f.1674154348.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-02-01 08:34:43 +01:00
..
6lowpan
9p 9p/client: fix data race on req->status 2023-01-12 12:02:36 +01:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:33:02 +01:00
8021q
appletalk
atm net/atm: fix proc_mpc_write incorrect return value 2022-10-15 11:08:36 +01:00
ax25
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-09-22 13:02:10 -07:00
bluetooth Bluetooth: hci_sync: cancel cmd_timer if hci_open failed 2023-02-01 08:34:35 +01:00
bpf bpf: Move skb->len == 0 checks into __bpf_redirect 2022-12-31 13:32:14 +01:00
bpfilter
bridge bridge: switchdev: Fix memory leaks when changing VLAN protocol 2022-11-15 13:38:11 +01:00
caif caif: fix memory leak in cfctrl_linkup_request() 2023-01-12 12:02:33 +01:00
can can: af_can: fix NULL pointer dereference in can_rcv_filter 2022-12-07 10:30:47 +01:00
ceph Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
core net: fix UaF in netns ops registration error path 2023-02-01 08:34:43 +01:00
dcb
dccp dccp/tcp: Fixup bhash2 bucket when connect() fails. 2022-11-22 20:15:37 -08:00
dns_resolver
dsa net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path 2022-12-31 13:32:29 +01:00
ethernet
ethtool net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats 2023-01-24 07:24:31 +01:00
hsr hsr: Synchronize sequence number updates. 2022-12-31 13:32:22 +01:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife
ipv4 tcp: fix rate_app_limited to default to 1 2023-02-01 08:34:27 +01:00
ipv6 ipv6: fix reachability confirmation with proxy_ndp 2023-02-01 08:34:39 +01:00
iucv
kcm kcm: close race conditions on sk_receive_queue 2022-11-15 12:42:26 +01:00
key xfrm: Fix oops in __xfrm_state_delete() 2022-11-22 07:14:55 +01:00
l2tp l2tp: prevent lockdep issue in l2tp_tunnel_register() 2023-02-01 08:34:24 +01:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: Fix iTXQ AMPDU fragmentation handling 2023-02-01 08:34:36 +01:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-05 09:53:08 +01:00
mctp mctp: Remove device type check at unregister 2022-12-31 13:32:56 +01:00
mpls
mptcp mptcp: netlink: respect v4/v6-only sockets 2023-01-24 07:24:37 +01:00
ncsi
netfilter netfilter: conntrack: handle tcp challenge acks during connection reuse 2023-02-01 08:34:21 +01:00
netlabel
netlink genetlink: limit the use of validation workarounds to old ops 2022-10-27 08:20:21 -07:00
netrom
nfc net: nfc: Fix use-after-free in local_cleanup() 2023-02-01 08:34:17 +01:00
nsh
openvswitch openvswitch: Use kmalloc_size_roundup() to match ksize() usage 2022-12-31 13:32:59 +01:00
packet packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE 2022-11-29 08:30:18 -08:00
phonet
psample
qrtr
rds treewide: use get_random_{u8,u16}() when possible, part 2 2022-10-11 17:42:58 -06:00
rfkill
rose rose: Fix NULL pointer dereference in rose_send_frame() 2022-11-02 11:57:30 +00:00
rxrpc rxrpc: Fix missing unlock in rxrpc_do_sendmsg() 2022-12-31 13:32:55 +01:00
sched net: sched: gred: prevent races when adding offloads to stats 2023-02-01 08:34:25 +01:00
sctp sctp: sysctl: make extra pointers netns aware 2022-12-31 13:32:28 +01:00
smc net/smc: Fix possible leaked pernet namespace in smc_init() 2022-11-02 20:42:09 -07:00
strparser
sunrpc Revert "SUNRPC: Use RMW bitops in single-threaded hot paths" 2023-01-14 10:33:42 +01:00
switchdev
tipc tipc: fix unexpected link reset due to discovery messages 2023-01-18 11:58:24 +01:00
tls bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes 2022-12-31 13:32:20 +01:00
unix unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg() 2022-12-31 13:32:54 +01:00
vmw_vsock net: vmw_vsock: vmci: Check memcpy_from_msg() 2022-12-31 13:32:26 +01:00
wireless wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails 2022-12-31 13:32:20 +01:00
x25 net/x25: Fix skb leak in x25_lapb_receive_frame() 2022-11-15 20:22:19 -08:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-11-23 19:18:59 -08:00
compat.c net: clear msg_get_inq in __get_compat_msghdr() 2022-09-20 08:23:20 -07:00
devres.c
Kconfig
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile
socket.c d_path pile 2022-10-06 16:55:41 -07:00
sysctl_net.c