From: Sasha Levin Date: Mon, 31 Oct 2022 15:32:54 +0000 (-0400) Subject: Drop net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch from 4.9 and 4.14 X-Git-Tag: v4.19.263~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4193d0fbe35adb4f3dd9ae6c51a317888260f269;p=thirdparty%2Fkernel%2Fstable-queue.git Drop net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch from 4.9 and 4.14 --- diff --git a/queue-4.14/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch b/queue-4.14/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch deleted file mode 100644 index 85b6a142442..00000000000 --- a/queue-4.14/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 7dfbf45becd80618a5552e885761eb8a363c77a9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Oct 2022 10:42:13 +0800 -Subject: net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed - -From: Zhengchao Shao - -[ Upstream commit d266935ac43d57586e311a087510fe6a084af742 ] - -When the ops_init() interface is invoked to initialize the net, but -ops->init() fails, data is released. However, the ptr pointer in -net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked -to release the net, invalid address access occurs. - -The process is as follows: -setup_net() - ops_init() - data = kzalloc(...) ---> alloc "data" - net_assign_generic() ---> assign "date" to ptr in net->gen - ... - ops->init() ---> failed - ... - kfree(data); ---> ptr in net->gen is invalid - ... - ops_exit_list() - ... - nfqnl_nf_hook_drop() - *q = nfnl_queue_pernet(net) ---> q is invalid - -The following is the Call Trace information: -BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280 -Read of size 8 at addr ffff88810396b240 by task ip/15855 -Call Trace: - -dump_stack_lvl+0x8e/0xd1 -print_report+0x155/0x454 -kasan_report+0xba/0x1f0 -nfqnl_nf_hook_drop+0x264/0x280 -nf_queue_nf_hook_drop+0x8b/0x1b0 -__nf_unregister_net_hook+0x1ae/0x5a0 -nf_unregister_net_hooks+0xde/0x130 -ops_exit_list+0xb0/0x170 -setup_net+0x7ac/0xbd0 -copy_net_ns+0x2e6/0x6b0 -create_new_namespaces+0x382/0xa50 -unshare_nsproxy_namespaces+0xa6/0x1c0 -ksys_unshare+0x3a4/0x7e0 -__x64_sys_unshare+0x2d/0x40 -do_syscall_64+0x35/0x80 -entry_SYSCALL_64_after_hwframe+0x46/0xb0 - - -Allocated by task 15855: -kasan_save_stack+0x1e/0x40 -kasan_set_track+0x21/0x30 -__kasan_kmalloc+0xa1/0xb0 -__kmalloc+0x49/0xb0 -ops_init+0xe7/0x410 -setup_net+0x5aa/0xbd0 -copy_net_ns+0x2e6/0x6b0 -create_new_namespaces+0x382/0xa50 -unshare_nsproxy_namespaces+0xa6/0x1c0 -ksys_unshare+0x3a4/0x7e0 -__x64_sys_unshare+0x2d/0x40 -do_syscall_64+0x35/0x80 -entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Freed by task 15855: -kasan_save_stack+0x1e/0x40 -kasan_set_track+0x21/0x30 -kasan_save_free_info+0x2a/0x40 -____kasan_slab_free+0x155/0x1b0 -slab_free_freelist_hook+0x11b/0x220 -__kmem_cache_free+0xa4/0x360 -ops_init+0xb9/0x410 -setup_net+0x5aa/0xbd0 -copy_net_ns+0x2e6/0x6b0 -create_new_namespaces+0x382/0xa50 -unshare_nsproxy_namespaces+0xa6/0x1c0 -ksys_unshare+0x3a4/0x7e0 -__x64_sys_unshare+0x2d/0x40 -do_syscall_64+0x35/0x80 -entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Fixes: f875bae06533 ("net: Automatically allocate per namespace data.") -Signed-off-by: Zhengchao Shao -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/core/net_namespace.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c -index 34fd852fe3ca..3c90890816b8 100644 ---- a/net/core/net_namespace.c -+++ b/net/core/net_namespace.c -@@ -101,6 +101,7 @@ static int net_assign_generic(struct net *net, unsigned int id, void *data) - - static int ops_init(const struct pernet_operations *ops, struct net *net) - { -+ struct net_generic *ng; - int err = -ENOMEM; - void *data = NULL; - -@@ -119,7 +120,13 @@ static int ops_init(const struct pernet_operations *ops, struct net *net) - if (!err) - return 0; - -+ if (ops->id && ops->size) { - cleanup: -+ ng = rcu_dereference_protected(net->gen, -+ lockdep_is_held(&pernet_ops_rwsem)); -+ ng->ptr[*ops->id] = NULL; -+ } -+ - kfree(data); - - out: --- -2.35.1 - diff --git a/queue-4.14/series b/queue-4.14/series index 5799ce8765d..5b347c09528 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -41,7 +41,6 @@ amd-xgbe-fix-the-sfp-compliance-codes-check-for-dac-.patch amd-xgbe-add-the-bit-rate-quirk-for-molex-cables.patch kcm-annotate-data-races-around-kcm-rx_psock.patch kcm-annotate-data-races-around-kcm-rx_wait.patch -net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch net-lantiq_etop-don-t-free-skb-when-returning-netdev.patch tcp-fix-indefinite-deferral-of-rto-with-sack-renegin.patch can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch diff --git a/queue-4.9/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch b/queue-4.9/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch deleted file mode 100644 index 51aabd3b2a5..00000000000 --- a/queue-4.9/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch +++ /dev/null @@ -1,121 +0,0 @@ -From e8a4e8d9d1a5109cdf7f0973b8c07f43ba20625d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Oct 2022 10:42:13 +0800 -Subject: net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed - -From: Zhengchao Shao - -[ Upstream commit d266935ac43d57586e311a087510fe6a084af742 ] - -When the ops_init() interface is invoked to initialize the net, but -ops->init() fails, data is released. However, the ptr pointer in -net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked -to release the net, invalid address access occurs. - -The process is as follows: -setup_net() - ops_init() - data = kzalloc(...) ---> alloc "data" - net_assign_generic() ---> assign "date" to ptr in net->gen - ... - ops->init() ---> failed - ... - kfree(data); ---> ptr in net->gen is invalid - ... - ops_exit_list() - ... - nfqnl_nf_hook_drop() - *q = nfnl_queue_pernet(net) ---> q is invalid - -The following is the Call Trace information: -BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280 -Read of size 8 at addr ffff88810396b240 by task ip/15855 -Call Trace: - -dump_stack_lvl+0x8e/0xd1 -print_report+0x155/0x454 -kasan_report+0xba/0x1f0 -nfqnl_nf_hook_drop+0x264/0x280 -nf_queue_nf_hook_drop+0x8b/0x1b0 -__nf_unregister_net_hook+0x1ae/0x5a0 -nf_unregister_net_hooks+0xde/0x130 -ops_exit_list+0xb0/0x170 -setup_net+0x7ac/0xbd0 -copy_net_ns+0x2e6/0x6b0 -create_new_namespaces+0x382/0xa50 -unshare_nsproxy_namespaces+0xa6/0x1c0 -ksys_unshare+0x3a4/0x7e0 -__x64_sys_unshare+0x2d/0x40 -do_syscall_64+0x35/0x80 -entry_SYSCALL_64_after_hwframe+0x46/0xb0 - - -Allocated by task 15855: -kasan_save_stack+0x1e/0x40 -kasan_set_track+0x21/0x30 -__kasan_kmalloc+0xa1/0xb0 -__kmalloc+0x49/0xb0 -ops_init+0xe7/0x410 -setup_net+0x5aa/0xbd0 -copy_net_ns+0x2e6/0x6b0 -create_new_namespaces+0x382/0xa50 -unshare_nsproxy_namespaces+0xa6/0x1c0 -ksys_unshare+0x3a4/0x7e0 -__x64_sys_unshare+0x2d/0x40 -do_syscall_64+0x35/0x80 -entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Freed by task 15855: -kasan_save_stack+0x1e/0x40 -kasan_set_track+0x21/0x30 -kasan_save_free_info+0x2a/0x40 -____kasan_slab_free+0x155/0x1b0 -slab_free_freelist_hook+0x11b/0x220 -__kmem_cache_free+0xa4/0x360 -ops_init+0xb9/0x410 -setup_net+0x5aa/0xbd0 -copy_net_ns+0x2e6/0x6b0 -create_new_namespaces+0x382/0xa50 -unshare_nsproxy_namespaces+0xa6/0x1c0 -ksys_unshare+0x3a4/0x7e0 -__x64_sys_unshare+0x2d/0x40 -do_syscall_64+0x35/0x80 -entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Fixes: f875bae06533 ("net: Automatically allocate per namespace data.") -Signed-off-by: Zhengchao Shao -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/core/net_namespace.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c -index 48854eae294f..6ff81ccfb25b 100644 ---- a/net/core/net_namespace.c -+++ b/net/core/net_namespace.c -@@ -94,6 +94,7 @@ static int net_assign_generic(struct net *net, int id, void *data) - - static int ops_init(const struct pernet_operations *ops, struct net *net) - { -+ struct net_generic *ng; - int err = -ENOMEM; - void *data = NULL; - -@@ -112,7 +113,13 @@ static int ops_init(const struct pernet_operations *ops, struct net *net) - if (!err) - return 0; - -+ if (ops->id && ops->size) { - cleanup: -+ ng = rcu_dereference_protected(net->gen, -+ lockdep_is_held(&pernet_ops_rwsem)); -+ ng->ptr[*ops->id] = NULL; -+ } -+ - kfree(data); - - out: --- -2.35.1 - diff --git a/queue-4.9/series b/queue-4.9/series index 1249533890d..2abfa795a18 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -28,7 +28,6 @@ arc-iounmap-arg-is-volatile.patch alsa-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch kcm-annotate-data-races-around-kcm-rx_psock.patch kcm-annotate-data-races-around-kcm-rx_wait.patch -net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch net-lantiq_etop-don-t-free-skb-when-returning-netdev.patch tcp-fix-indefinite-deferral-of-rto-with-sack-renegin.patch can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch