From: Greg Kroah-Hartman Date: Mon, 18 Dec 2023 07:22:46 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.15.144~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=54a28b629acca64d7add43517272876b2715ba8b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: team-fix-use-after-free-when-an-option-instance-allocation-fails.patch --- diff --git a/queue-4.14/series b/queue-4.14/series index 64f331e0ae7..387863274e9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -20,3 +20,4 @@ asm-generic-qspinlock-fix-queued_spin_value_unlocked.patch net-usb-qmi_wwan-claim-interface-4-for-zte-mf290.patch hid-hid-asus-add-const-to-read-only-outgoing-usb-buf.patch ext4-prevent-the-normalized-size-from-exceeding-ext_max_blocks.patch +team-fix-use-after-free-when-an-option-instance-allocation-fails.patch diff --git a/queue-4.14/team-fix-use-after-free-when-an-option-instance-allocation-fails.patch b/queue-4.14/team-fix-use-after-free-when-an-option-instance-allocation-fails.patch new file mode 100644 index 00000000000..64f25055c3e --- /dev/null +++ b/queue-4.14/team-fix-use-after-free-when-an-option-instance-allocation-fails.patch @@ -0,0 +1,51 @@ +From c12296bbecc488623b7d1932080e394d08f3226b Mon Sep 17 00:00:00 2001 +From: Florent Revest +Date: Wed, 6 Dec 2023 13:37:18 +0100 +Subject: team: Fix use-after-free when an option instance allocation fails + +From: Florent Revest + +commit c12296bbecc488623b7d1932080e394d08f3226b upstream. + +In __team_options_register, team_options are allocated and appended to +the team's option_list. +If one option instance allocation fails, the "inst_rollback" cleanup +path frees the previously allocated options but doesn't remove them from +the team's option_list. +This leaves dangling pointers that can be dereferenced later by other +parts of the team driver that iterate over options. + +This patch fixes the cleanup path to remove the dangling pointers from +the list. + +As far as I can tell, this uaf doesn't have much security implications +since it would be fairly hard to exploit (an attacker would need to make +the allocation of that specific small object fail) but it's still nice +to fix. + +Cc: stable@vger.kernel.org +Fixes: 80f7c6683fe0 ("team: add support for per-port options") +Signed-off-by: Florent Revest +Reviewed-by: Jiri Pirko +Reviewed-by: Hangbin Liu +Link: https://lore.kernel.org/r/20231206123719.1963153-1-revest@chromium.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -296,8 +296,10 @@ static int __team_options_register(struc + return 0; + + inst_rollback: +- for (i--; i >= 0; i--) ++ for (i--; i >= 0; i--) { + __team_option_inst_del_option(team, dst_opts[i]); ++ list_del(&dst_opts[i]->list); ++ } + + i = option_count; + alloc_rollback: