From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 15 Aug 2022 11:52:05 +0000 (+0200)
Subject: 5.18-stable patches
X-Git-Tag: v5.15.61~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb541b77c986e52f270f18e93935abad2f953543;p=thirdparty%2Fkernel%2Fstable-queue.git

5.18-stable patches

added patches:
	net_sched-cls_route-remove-from-list-when-handle-is-0.patch
---

diff --git a/queue-5.18/net_sched-cls_route-remove-from-list-when-handle-is-0.patch b/queue-5.18/net_sched-cls_route-remove-from-list-when-handle-is-0.patch
new file mode 100644
index 00000000000..e4c2708e233
--- /dev/null
+++ b/queue-5.18/net_sched-cls_route-remove-from-list-when-handle-is-0.patch
@@ -0,0 +1,45 @@
+From 9ad36309e2719a884f946678e0296be10f0bb4c1 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 9 Aug 2022 14:05:18 -0300
+Subject: net_sched: cls_route: remove from list when handle is 0
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 9ad36309e2719a884f946678e0296be10f0bb4c1 upstream.
+
+When a route filter is replaced and the old filter has a 0 handle, the old
+one won't be removed from the hashtable, while it will still be freed.
+
+The test was there since before commit 1109c00547fc ("net: sched: RCU
+cls_route"), when a new filter was not allocated when there was an old one.
+The old filter was reused and the reinserting would only be necessary if an
+old filter was replaced. That was still wrong for the same case where the
+old handle was 0.
+
+Remove the old filter from the list independently from its handle value.
+
+This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.
+
+Reported-by: Zhenpeng Lin <zplin@u.northwestern.edu>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Kamal Mostafa <kamal@canonical.com>
+Cc: <stable@vger.kernel.org>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_route.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/cls_route.c
++++ b/net/sched/cls_route.c
+@@ -526,7 +526,7 @@ static int route4_change(struct net *net
+ 	rcu_assign_pointer(f->next, f1);
+ 	rcu_assign_pointer(*fp, f);
+ 
+-	if (fold && fold->handle && f->handle != fold->handle) {
++	if (fold) {
+ 		th = to_hash(fold->handle);
+ 		h = from_hash(fold->handle >> 16);
+ 		b = rtnl_dereference(head->table[th]);
diff --git a/queue-5.18/series b/queue-5.18/series
index 5041779dad6..cad0d7b6597 100644
--- a/queue-5.18/series
+++ b/queue-5.18/series
@@ -1082,3 +1082,4 @@ xen-blkfront-apply-feature_persistent-parameter-when-connect.patch
 powerpc-fix-eh-field-when-calling-lwarx-on-ppc32.patch
 btrfs-join-running-log-transaction-when-logging-new-name.patch
 btrfs-convert-count_max_extents-to-use-fs_info-max_extent_size.patch
+net_sched-cls_route-remove-from-list-when-handle-is-0.patch