From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Sep 2024 10:05:23 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.322~140
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b66ecfbd244ff379afbfe0a95f142e8cb1fbe4cf;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	sch-netem-fix-use-after-free-in-netem_dequeue.patch
---

diff --git a/queue-5.10/sch-netem-fix-use-after-free-in-netem_dequeue.patch b/queue-5.10/sch-netem-fix-use-after-free-in-netem_dequeue.patch
new file mode 100644
index 00000000000..aaa45e33fc6
--- /dev/null
+++ b/queue-5.10/sch-netem-fix-use-after-free-in-netem_dequeue.patch
@@ -0,0 +1,62 @@
+From 3b3a2a9c6349e25a025d2330f479bc33a6ccb54a Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Sun, 1 Sep 2024 11:16:07 -0700
+Subject: sch/netem: fix use after free in netem_dequeue
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+commit 3b3a2a9c6349e25a025d2330f479bc33a6ccb54a upstream.
+
+If netem_dequeue() enqueues packet to inner qdisc and that qdisc
+returns __NET_XMIT_STOLEN. The packet is dropped but
+qdisc_tree_reduce_backlog() is not called to update the parent's
+q.qlen, leading to the similar use-after-free as Commit
+e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
+fails")
+
+Commands to trigger KASAN UaF:
+
+ip link add type dummy
+ip link set lo up
+ip link set dummy0 up
+tc qdisc add dev lo parent root handle 1: drr
+tc filter add dev lo parent 1: basic classid 1:1
+tc class add dev lo classid 1:1 drr
+tc qdisc add dev lo parent 1:1 handle 2: netem
+tc qdisc add dev lo parent 2: handle 3: drr
+tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
+redirect dev dummy0
+tc class add dev lo classid 3:1 drr
+ping -c1 -W0.01 localhost # Trigger bug
+tc class del dev lo classid 1:1
+tc class add dev lo classid 1:1 drr
+ping -c1 -W0.01 localhost # UaF
+
+Fixes: 50612537e9ab ("netem: fix classful handling")
+Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Link: https://patch.msgid.link/20240901182438.4992-1-stephen@networkplumber.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_netem.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -733,11 +733,10 @@ deliver:
+ 
+ 				err = qdisc_enqueue(skb, q->qdisc, &to_free);
+ 				kfree_skb_list(to_free);
+-				if (err != NET_XMIT_SUCCESS &&
+-				    net_xmit_drop_count(err)) {
+-					qdisc_qstats_drop(sch);
+-					qdisc_tree_reduce_backlog(sch, 1,
+-								  pkt_len);
++				if (err != NET_XMIT_SUCCESS) {
++					if (net_xmit_drop_count(err))
++						qdisc_qstats_drop(sch);
++					qdisc_tree_reduce_backlog(sch, 1, pkt_len);
+ 				}
+ 				goto tfifo_dequeue;
+ 			}
diff --git a/queue-5.10/series b/queue-5.10/series
index 7855cc8a2e9..aac459b961c 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -51,3 +51,4 @@ udf-limit-file-size-to-4tb.patch
 ext4-handle-redirtying-in-ext4_bio_write_page.patch
 i2c-use-is_reachable-for-substituting-empty-acpi-functions.patch
 bpf-cgroup-assign-cgroup-in-cgroup_sk_alloc-when-called-from-interrupt.patch
+sch-netem-fix-use-after-free-in-netem_dequeue.patch