Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net
History
Stephen Hemminger 4959125286 sch/netem: fix use after free in netem_dequeue 
commit 3b3a2a9c6349e25a025d2330f479bc33a6ccb54a upstream.

If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")

Commands to trigger KASAN UaF:

ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF

Fixes: 50612537e9ab ("netem: fix classful handling")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Link: https://patch.msgid.link/20240901182438.4992-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-23 23:20:59 +01:00
..
6lowpan
9p net/9p: fix uninit-value in p9_client_rpc() 2024-11-19 12:27:18 +01:00
802
8021q
appletalk
atm
ax25
batman-adv batman-adv: fix random jitter calculation 2024-11-19 17:55:48 +01:00
bluetooth Bluetooth: MGMT: Add error handling to pair_device() 2024-11-23 23:20:49 +01:00
bpf
bpfilter
bridge net: bridge: fix multicast-to-unicast with fraglist GSO 2024-11-19 11:32:43 +01:00
caif
can net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new 2024-11-19 14:19:34 +01:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-11-19 14:19:45 +01:00
core bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode 2024-11-23 23:20:59 +01:00
dcb
dccp
decnet
dns_resolver
dsa
ethernet ethernet: Add helper for assigning packet type when dest address does not match device address 2024-11-19 11:32:39 +01:00
ethtool ethtool: check device is present when getting link settings 2024-11-23 23:20:55 +01:00
hsr hsr: Handle failures in module init 2024-11-19 08:44:59 +01:00
ieee802154
ife
ipv4 net: set SOCK_RCU_FREE before inserting socket into hashtable 2024-11-23 23:20:59 +01:00
ipv6 ipv6: prevent UAF in ip6_send_skb() 2024-11-23 23:20:49 +01:00
iucv s390/iucv: fix receive buffer virtual vs physical address confusion 2024-11-23 23:20:47 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-11-23 23:20:48 +01:00
key
l2tp l2tp: fix lockdep splat 2024-11-23 23:20:22 +01:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: fix BA session teardown race 2024-11-23 23:20:44 +01:00
mac802154 Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" 2024-11-19 14:52:14 +01:00
mpls
mptcp mptcp: sched: check both backup in retrans 2024-11-23 23:20:53 +01:00
ncm
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-11-19 14:19:00 +01:00
netfilter netfilter: nft_counter: Synchronize nft_counter_reset() against reader. 2024-11-23 23:20:48 +01:00
netlabel
netlink netlink: hold nlk->cb_mutex longer in __netlink_dump_start() 2024-11-23 23:20:45 +01:00
netrom netrom: Fix a memory leak in nr_heartbeat_expiry() 2024-11-19 14:19:08 +01:00
nfc nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 2024-11-19 12:27:10 +01:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-11-19 11:32:42 +01:00
openvswitch openvswitch: Set the skbuff pkt_type for proper pmtud support. 2024-11-19 12:27:09 +01:00
packet af_packet: Handle outgoing VLAN packets without hardware offloading 2024-11-23 23:20:12 +01:00
phonet phonet: fix rtm_phonet_notify() skb allocation 2024-11-19 11:32:46 +01:00
psample
qrtr
rds net:rds: Fix possible deadlock in rds_message_put 2024-11-23 23:20:54 +01:00
rfkill
rose
rxrpc
sched sch/netem: fix use after free in netem_dequeue 2024-11-23 23:20:59 +01:00
sctp sctp: Fix null-ptr-deref in reuseport_add_sock(). 2024-11-23 23:20:22 +01:00
skb_tracer
smc net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined 2024-11-23 23:20:06 +01:00
strparser
sunrpc nfsd: Don't call freezable_schedule_timeout() after each successful page allocation in svc_alloc_arg(). 2024-11-23 23:20:50 +01:00
switchdev
tipc tipc: Return non-zero value from tipc_udp_addr2str() on error 2024-11-23 23:20:17 +01:00
tls tls: fix missing memory barrier in tls_init 2024-11-19 12:27:09 +01:00
unix af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). 2024-11-19 14:19:01 +01:00
vmw_vsock
wimax
wireless wifi: cfg80211: make hash table duplicates more survivable 2024-11-23 23:20:58 +01:00
x25
xdp xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING 2024-11-19 11:32:19 +01:00
xfrm net: fix __dst_negative_advice() race 2024-11-19 12:27:19 +01:00
compat.c
devres.c
Kconfig
Makefile
socket.c
sysctl_net.c
TEST_MAPPING