ACK: [SRU][Xenial][PATCH 1/1] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()

Stefan Bader stefan.bader at canonical.com
Mon Jan 16 10:22:51 UTC 2023 

On 13.01.23 13:20, Andrei Gherzan wrote:
> From: Hangyu Hua <hbh25y at gmail.com>
> 
> xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of
> pols[0]. This refcount can be dropped in xfrm_expand_policies() when
> xfrm_expand_policies() return error. pols[0]'s refcount is balanced in
> here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with
> num_pols == 1 to drop this refcount when xfrm_expand_policies() return
> error.
> 
> This patch also fix an illegal address access. pols[0] will save a error
> point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve
> an illegal address in xfrm_bundle_lookup's error path.
> 
> Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path.
> 
> Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing flows")
> Signed-off-by: Hangyu Hua <hbh25y at gmail.com>
> Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
> CVE-2022-36879
> (cherry picked from commit f85daf0e725358be78dfd208dea5fd665d8cb901)
> Signed-off-by: Andrei Gherzan <andrei.gherzan at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>   net/xfrm/xfrm_policy.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index 77605778a922..21cdb53aadcc 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -1792,8 +1792,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
>   		*num_xfrms = 0;
>   		return 0;
>   	}
> -	if (IS_ERR(pols[0]))
> +	if (IS_ERR(pols[0])) {
> +		*num_pols = 0;
>   		return PTR_ERR(pols[0]);
> +	}
>   
>   	*num_xfrms = pols[0]->xfrm_nr;
>   
> @@ -1807,6 +1809,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
>   		if (pols[1]) {
>   			if (IS_ERR(pols[1])) {
>   				xfrm_pols_put(pols, *num_pols);
> +				*num_pols = 0;
>   				return PTR_ERR(pols[1]);
>   			}
>   			(*num_pols)++;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230116/22796cb0/attachment.sig>

More information about the kernel-team mailing list