Commit ca6837f
committed
net/sched: cls_u32: Fix reference counter leak leading to overflow
jira VULN-6548
cve CVE-2023-3609
commit-author Lee Jones <[email protected]>
commit 04c5538
In the event of a failure in tcf_change_indev(), u32_set_parms() will
immediately return without decrementing the recently incremented
reference counter. If this happens enough times, the counter will
rollover and the reference freed, leading to a double free which can be
used to do 'bad things'.
In order to prevent this, move the point of possible failure above the
point where the reference counter is incremented. Also save any
meaningful return values to be applied to the return data at the
appropriate point in time.
This issue was caught with KASAN.
Fixes: 705c709 ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
Suggested-by: Eric Dumazet <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Acked-by: Jamal Hadi Salim <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit 04c5538)
Signed-off-by: David Gomez <[email protected]>1 parent 19f8ab0 commit ca6837f
1 file changed
+10
-8
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
716 | 716 | | |
717 | 717 | | |
718 | 718 | | |
719 | | - | |
| 719 | + | |
720 | 720 | | |
721 | 721 | | |
722 | 722 | | |
723 | 723 | | |
724 | 724 | | |
725 | 725 | | |
| 726 | + | |
| 727 | + | |
| 728 | + | |
| 729 | + | |
| 730 | + | |
| 731 | + | |
726 | 732 | | |
727 | 733 | | |
728 | 734 | | |
| |||
757 | 763 | | |
758 | 764 | | |
759 | 765 | | |
760 | | - | |
761 | | - | |
762 | | - | |
763 | | - | |
764 | | - | |
765 | | - | |
766 | | - | |
| 766 | + | |
| 767 | + | |
| 768 | + | |
767 | 769 | | |
768 | 770 | | |
769 | 771 | | |
| |||
0 commit comments