]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b4870a4) | patch
net_sched: cls_route: remove from list when handle is 0
authorThadeu Lima de Souza Cascardo <cascardo@canonical.com>
Tue, 9 Aug 2022 17:05:18 +0000 (14:05 -0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 25 Aug 2022 09:18:15 +0000 (11:18 +0200)
commit190ddd34fa8a3fc4ca09f40837f4e4c042ec5e35
tree949977b124ba07d511e8d6c48227393e565f2962tree | snapshot
parentb4870a40f7be6a884064ad7bc72b4335d1347194commit | diff
net_sched: cls_route: remove from list when handle is 0

commit 1fa7327303b0394766cc2e9d7cde0c94c128a844 upstream.

When a route filter is replaced and the old filter has a 0 handle, the old
one won't be removed from the hashtable, while it will still be freed.

The test was there since before commit 644cf8045812 ("net: sched: RCU
cls_route"), when a new filter was not allocated when there was an old one.
The old filter was reused and the reinserting would only be necessary if an
old filter was replaced. That was still wrong for the same case where the
old handle was 0.

Remove the old filter from the list independently from its handle value.

This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.

Reported-by: Zhenpeng Lin <zplin@u.northwestern.edu>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reviewed-by: Kamal Mostafa <kamal@canonical.com>
Cc: <stable@vger.kernel.org>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/sched/cls_route.c diff | blob | history
Linux Kernel Source Tree.