mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-08 17:49:45 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/sched
History
Davide Caratti de9f2452b1 net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used 
[ Upstream commit 38230a3e0e ]

the control action in the common member of struct tcf_tunnel_key must be a
valid value, as it can contain the chain index when 'goto chain' is used.
Ensure that the control action can be read as x->tcfa_action, when x is a
pointer to struct tc_action and x->ops->type is TCA_ACT_TUNNEL_KEY, to
prevent the following command:

 # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
 > $tcflags dst_mac $h2mac action tunnel_key unset goto chain 1

from causing a NULL dereference when a matching packet is received:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 PGD 80000001097ac067 P4D 80000001097ac067 PUD 103b0a067 PMD 0
 Oops: 0000 [#1] SMP PTI
 CPU: 0 PID: 3491 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
 Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Call Trace:
  <IRQ>
  fl_classify+0x1ad/0x1c0 [cls_flower]
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? update_load_avg+0x665/0x690
  ? update_load_avg+0x665/0x690
  ? kmem_cache_alloc+0x38/0x1c0
  tcf_classify+0x89/0x140
  __netif_receive_skb_core+0x5ea/0xb70
  ? enqueue_entity+0xd0/0x270
  ? process_backlog+0x97/0x150
  process_backlog+0x97/0x150
  net_rx_action+0x14b/0x3e0
  __do_softirq+0xde/0x2b4
  do_softirq_own_stack+0x2a/0x40
  </IRQ>
  do_softirq.part.18+0x49/0x50
  __local_bh_enable_ip+0x49/0x50
  __dev_queue_xmit+0x4ab/0x8a0
  ? wait_woken+0x80/0x80
  ? packet_sendmsg+0x38f/0x810
  ? __dev_queue_xmit+0x8a0/0x8a0
  packet_sendmsg+0x38f/0x810
  sock_sendmsg+0x36/0x40
  __sys_sendto+0x10e/0x140
  ? do_vfs_ioctl+0xa4/0x630
  ? syscall_trace_enter+0x1df/0x2e0
  ? __audit_syscall_exit+0x22a/0x290
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x5b/0x180
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fd67e18dc93
 Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
 RSP: 002b:00007ffe0189b748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 00000000020ca010 RCX: 00007fd67e18dc93
 RDX: 0000000000000062 RSI: 00000000020ca322 RDI: 0000000000000003
 RBP: 00007ffe0189b780 R08: 00007ffe0189b760 R09: 0000000000000014
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
 R13: 00000000020ca322 R14: 00007ffe0189b760 R15: 0000000000000003
 Modules linked in: act_tunnel_key act_gact cls_flower sch_ingress vrf veth act_csum(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic kvm_intel kvm irqbypass snd_hda_intel crct10dif_pclmul crc32_pclmul hp_wmi ghash_clmulni_intel pcbc snd_hda_codec aesni_intel sparse_keymap rfkill snd_hda_core snd_hwdep snd_seq crypto_simd iTCO_wdt gpio_ich iTCO_vendor_support wmi_bmof cryptd mei_wdt glue_helper snd_seq_device snd_pcm pcspkr snd_timer snd i2c_i801 lpc_ich sg soundcore wmi mei_me
  mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom i915 video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ahci crc32c_intel libahci serio_raw sfc libata mtd drm ixgbe mdio i2c_core e1000e dca
 CR2: 0000000000000000
 ---[ end trace 1ab8b5b5d4639dfc ]---
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Kernel panic - not syncing: Fatal exception in interrupt
 Kernel Offset: 0x11400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: d0f6dd8a91 ("net/sched: Introduce act_tunnel_key")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-24 13:09:14 +02:00
..
act_api.c net sched actions: fix dumping which requires several messages to user space 2018-04-12 12:32:23 +02:00
act_bpf.c net/sched: fix idr leak on the error path of tcf_bpf_init() 2018-05-30 07:52:18 +02:00
act_connmark.c Revert "net_sched: hold netns refcnt for each action" 2017-11-09 10:03:09 +09:00
act_csum.c net: accept UFO datagrams from tuntap and packet 2017-12-17 15:07:58 +01:00
act_gact.c net/sched: Fix update of lastuse in act modules implementing stats_update 2018-01-17 09:45:22 +01:00
act_ife.c net: sched: ife: handle malformed tlv length 2018-04-29 11:33:13 +02:00
act_ipt.c net/sched: fix idr leak in the error path of __tcf_ipt_init() 2018-05-30 07:52:18 +02:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c net sched ife action: Introduce skb tcindex metadata encap decap 2016-09-19 21:55:28 -04:00
act_mirred.c net/sched: Fix update of lastuse in act modules implementing stats_update 2018-01-17 09:45:22 +01:00
act_nat.c Revert "net_sched: hold netns refcnt for each action" 2017-11-09 10:03:09 +09:00
act_pedit.c net/sched: fix idr leak in the error path of tcp_pedit_init() 2018-05-30 07:52:18 +02:00
act_police.c net/sched: fix idr leak in the error path of tcf_act_police_init() 2018-05-30 07:52:18 +02:00
act_sample.c net/sched: fix NULL dereference in the error path of tcf_sample_init() 2018-05-30 07:52:16 +02:00
act_simple.c net/sched: act_simple: fix parsing of TCA_DEF_DATA 2018-06-26 08:06:28 +08:00
act_skbedit.c net sched actions: fix invalid pointer dereferencing if skbedit flags missing 2018-06-21 04:02:57 +09:00
act_skbmod.c net/sched: fix idr leak in the error path of tcf_skbmod_init() 2018-05-30 07:52:18 +02:00
act_tunnel_key.c net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used 2018-08-24 13:09:14 +02:00
act_vlan.c net/sched: fix refcnt leak in the error path of tcf_vlan_init() 2018-05-25 16:17:23 +02:00
cls_api.c net: sched: fix error path in tcf_proto_create() when modules are not configured 2018-05-19 10:20:26 +02:00
cls_basic.c cls_basic: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:09 +09:00
cls_bpf.c cls_bpf: don't decrement net's refcount when offload fails 2017-12-17 15:07:59 +01:00
cls_cgroup.c cls_cgroup: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:09 +09:00
cls_flow.c cls_flow: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:09 +09:00
cls_flower.c cls_flower: Fix incorrect idr release when failing to modify rule 2018-06-11 22:49:22 +02:00
cls_fw.c cls_fw: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:09 +09:00
cls_matchall.c cls_matchall: fix tcf_unbind_filter missing 2018-08-22 07:46:11 +02:00
cls_route.c cls_route: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:10 +09:00
cls_rsvp.c
cls_rsvp.h cls_rsvp: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:10 +09:00
cls_rsvp6.c
cls_tcindex.c net_sched: Fix missing res info when create new tc_index filter 2018-08-22 07:46:08 +02:00
cls_u32.c cls_u32: fix use after free in u32_destroy_key() 2018-03-08 22:41:16 -08:00
em_canid.c
em_cmp.c
em_ipset.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
em_meta.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
Kconfig net: sched: select cls when cls_act is enabled 2017-06-05 10:56:36 -04:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sch_api.c net_sched: avoid matching qdisc with zero handle 2017-10-29 17:55:03 +09:00
sch_atm.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_blackhole.c net_sched: blackhole: tell upper qdisc about dropped packets 2018-07-22 14:28:46 +02:00
sch_cbq.c net: sched: cbq: create block for q->link.block 2017-12-17 15:07:58 +01:00
sch_choke.c net_sched: red: Avoid illegal values 2018-02-25 11:07:59 +01:00
sch_codel.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_drr.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_dsmark.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_fifo.c sched: don't use skb queue helpers 2016-09-19 01:47:18 -04:00
sch_fq.c net_sched: fq: take care of throttled flows before reuse 2018-05-19 10:20:24 +02:00
sch_fq_codel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_generic.c net: sched: drop qdisc_reset from dev_graft_qdisc 2018-03-19 08:42:54 +01:00
sch_gred.c net_sched: red: Avoid illegal values 2018-02-25 11:07:59 +01:00
sch_hfsc.c net_sched/hfsc: fix curve activation in hfsc_change_class() 2017-09-21 11:56:32 -07:00
sch_hhf.c sch_hhf: fix null pointer dereference on init failure 2017-08-30 15:26:11 -07:00
sch_htb.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_ingress.c net: sched: fix static key imbalance in case of ingress/clsact_init error 2018-01-02 20:31:12 +01:00
sch_mq.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_mqprio.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_multiq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
sch_netem.c sch_netem: fix skb leak in netem_enqueue() 2018-03-31 18:10:40 +02:00
sch_pie.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
sch_plug.c net_sched: drop packets after root qdisc lock is released 2016-06-25 12:19:35 -04:00
sch_prio.c sched: Use __qdisc_drop instead of kfree_skb in sch_prio and sch_qfq 2017-09-06 21:20:07 -07:00
sch_qfq.c sched: Use __qdisc_drop instead of kfree_skb in sch_prio and sch_qfq 2017-09-06 21:20:07 -07:00
sch_red.c net: sched: red: avoid hashing NULL child 2018-05-25 16:17:23 +02:00
sch_sfb.c net_sched: remove tc class reference counting 2017-08-25 17:19:10 -07:00
sch_sfq.c net_sched: red: Avoid illegal values 2018-02-25 11:07:59 +01:00
sch_tbf.c net: sched: red: avoid hashing NULL child 2018-05-25 16:17:23 +02:00
sch_teql.c net: make ndo_get_stats64 a void function 2017-01-08 17:51:44 -05:00