From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 1 Aug 2023 08:25:29 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v5.15.124~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=02fbd96ac0ef20859fe9e7ee24eb0db5c68e552b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	net-sched-cls_fw-fix-improper-refcount-update-leads-to-use-after-free.patch
	net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
---

diff --git a/queue-4.19/net-sched-cls_fw-fix-improper-refcount-update-leads-to-use-after-free.patch b/queue-4.19/net-sched-cls_fw-fix-improper-refcount-update-leads-to-use-after-free.patch
new file mode 100644
index 00000000000..a463e442760
--- /dev/null
+++ b/queue-4.19/net-sched-cls_fw-fix-improper-refcount-update-leads-to-use-after-free.patch
@@ -0,0 +1,57 @@
+From 0323bce598eea038714f941ce2b22541c46d488f Mon Sep 17 00:00:00 2001
+From: M A Ramdhan <ramdhan@starlabs.sg>
+Date: Wed, 5 Jul 2023 12:15:30 -0400
+Subject: net/sched: cls_fw: Fix improper refcount update leads to use-after-free
+
+From: M A Ramdhan <ramdhan@starlabs.sg>
+
+commit 0323bce598eea038714f941ce2b22541c46d488f upstream.
+
+In the event of a failure in tcf_change_indev(), fw_set_parms() will
+immediately return an error after incrementing or decrementing
+reference counter in tcf_bind_filter().  If attacker can control
+reference counter to zero and make reference freed, leading to
+use after free.
+
+In order to prevent this, move the point of possible failure above the
+point where the TC_FW_CLASSID is handled.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
+Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
+Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_fw.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/sched/cls_fw.c
++++ b/net/sched/cls_fw.c
+@@ -221,11 +221,6 @@ static int fw_set_parms(struct net *net,
+ 	if (err < 0)
+ 		return err;
+ 
+-	if (tb[TCA_FW_CLASSID]) {
+-		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
+-		tcf_bind_filter(tp, &f->res, base);
+-	}
+-
+ #ifdef CONFIG_NET_CLS_IND
+ 	if (tb[TCA_FW_INDEV]) {
+ 		int ret;
+@@ -244,6 +239,11 @@ static int fw_set_parms(struct net *net,
+ 	} else if (head->mask != 0xFFFFFFFF)
+ 		return err;
+ 
++	if (tb[TCA_FW_CLASSID]) {
++		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
++		tcf_bind_filter(tp, &f->res, base);
++	}
++
+ 	return 0;
+ }
+ 
diff --git a/queue-4.19/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch b/queue-4.19/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
new file mode 100644
index 00000000000..3e9d9e6f312
--- /dev/null
+++ b/queue-4.19/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
@@ -0,0 +1,92 @@
+From 3e337087c3b5805fe0b8a46ba622a962880b5d64 Mon Sep 17 00:00:00 2001
+From: Pedro Tammela <pctammela@mojatatu.com>
+Date: Tue, 11 Jul 2023 18:01:02 -0300
+Subject: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+commit 3e337087c3b5805fe0b8a46ba622a962880b5d64 upstream.
+
+Lion says:
+-------
+In the QFQ scheduler a similar issue to CVE-2023-31436
+persists.
+
+Consider the following code in net/sched/sch_qfq.c:
+
+static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+                struct sk_buff **to_free)
+{
+     unsigned int len = qdisc_pkt_len(skb), gso_segs;
+
+    // ...
+
+     if (unlikely(cl->agg->lmax < len)) {
+         pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
+              cl->agg->lmax, len, cl->common.classid);
+         err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
+         if (err) {
+             cl->qstats.drops++;
+             return qdisc_drop(skb, sch, to_free);
+         }
+
+    // ...
+
+     }
+
+Similarly to CVE-2023-31436, "lmax" is increased without any bounds
+checks according to the packet length "len". Usually this would not
+impose a problem because packet sizes are naturally limited.
+
+This is however not the actual packet length, rather the
+"qdisc_pkt_len(skb)" which might apply size transformations according to
+"struct qdisc_size_table" as created by "qdisc_get_stab()" in
+net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc.
+
+A user may choose virtually any size using such a table.
+
+As a result the same issue as in CVE-2023-31436 can occur, allowing heap
+out-of-bounds read / writes in the kmalloc-8192 cache.
+-------
+
+We can create the issue with the following commands:
+
+tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \
+overhead 999999999 linklayer ethernet qfq
+tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k
+tc filter add dev $DEV parent 1: matchall classid 1:1
+ping -I $DEV 1.1.1.2
+
+This is caused by incorrectly assuming that qdisc_pkt_len() returns a
+length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: Lion <nnamrec@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_qfq.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -387,8 +387,13 @@ static int qfq_change_agg(struct Qdisc *
+ 			   u32 lmax)
+ {
+ 	struct qfq_sched *q = qdisc_priv(sch);
+-	struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight);
++	struct qfq_aggregate *new_agg;
+ 
++	/* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */
++	if (lmax > (1UL << QFQ_MTU_SHIFT))
++		return -EINVAL;
++
++	new_agg = qfq_find_agg(q, lmax, weight);
+ 	if (new_agg == NULL) { /* create new aggregate */
+ 		new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC);
+ 		if (new_agg == NULL)
diff --git a/queue-4.19/series b/queue-4.19/series
index dfdbfca34ff..3b1391a46e2 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -280,3 +280,5 @@ s390-dasd-fix-hanging-device-after-quiesce-resume.patch
 asoc-wm8904-fill-the-cache-for-wm8904_adc_test_0-register.patch
 dm-cache-policy-smq-ensure-io-doesn-t-prevent-cleaner-policy-progress.patch
 drm-client-fix-memory-leak-in-drm_client_target_cloned.patch
+net-sched-cls_fw-fix-improper-refcount-update-leads-to-use-after-free.patch
+net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch