From: M A Ramdhan <ramdhan@starlabs.sg>
To: valis <sec@valis.email>
Cc: netdev@vger.kernel.org, jhs@mojatatu.com,
xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
pctammela@mojatatu.com, victor@mojatatu.com, billy@starlabs.sg
Subject: Re: [PATCH net 1/3] net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
Date: Sat, 22 Jul 2023 01:04:29 +0700 [thread overview]
Message-ID: <CACSEBQQdOJAX1yqDMLb_yQMpU2yoUShhS_pCSDndWepxfw3Rsw@mail.gmail.com> (raw)
In-Reply-To: <20230721174856.3045-2-sec@valis.email>
On Sat, Jul 22, 2023 at 12:51 AM valis <sec@valis.email> wrote:
>
> When u32_change() is called on an existing filter, the whole
> tcf_result struct is always copied into the new instance of the filter.
>
> This causes a problem when updating a filter bound to a class,
> as tcf_unbind_filter() is always called on the old instance in the
> success path, decreasing filter_cnt of the still referenced class
> and allowing it to be deleted, leading to a use-after-free.
>
> Fix this by no longer copying the tcf_result struct from the old filter.
>
> Fixes: de5df63228fc ("net: sched: cls_u32 changes to knode must appear atomic to readers")
> Reported-by: valis <sec@valis.email>
> Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
> Signed-off-by: valis <sec@valis.email>
> Cc: stable@vger.kernel.org
> ---
> net/sched/cls_u32.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
> index 5abf31e432ca..19aa60d1eea7 100644
> --- a/net/sched/cls_u32.c
> +++ b/net/sched/cls_u32.c
> @@ -826,7 +826,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
>
> new->ifindex = n->ifindex;
> new->fshift = n->fshift;
> - new->res = n->res;
> new->flags = n->flags;
> RCU_INIT_POINTER(new->ht_down, ht);
>
> --
> 2.30.2
>
Hi,
We also thought it's also the correct fixes,
but we're not sure because it will always remove the already bound
qdisc class when we change the filter, even tho we never specify
the new TCA_U32_CLASSID in the new filter.
I also look at the implementation of cls_tcindex and cls_rsvp which still copy
the old tcf_result, but don't call the tcf_unbind_filter when changing
the filter.
If it's the intended behaviour, then I'm good with this patch.
Thanks & Regards,
M A Ramdhan
next prev parent reply other threads:[~2023-07-21 18:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-21 17:48 [PATCH net 0/3] net/sched Bind logic fixes for cls_fw, cls_u32 and cls_route valis
2023-07-21 17:48 ` [PATCH net 1/3] net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free valis
2023-07-21 18:04 ` M A Ramdhan [this message]
2023-07-21 18:58 ` Pedro Tammela
2023-07-21 20:38 ` M A Ramdhan
2023-07-21 19:55 ` Jamal Hadi Salim
2023-07-21 17:48 ` [PATCH net 2/3] net/sched: cls_fw: " valis
2023-07-21 17:48 ` [PATCH net 3/3] net/sched: cls_route: " valis
2023-07-21 19:00 ` [PATCH net 0/3] net/sched Bind logic fixes for cls_fw, cls_u32 and cls_route Pedro Tammela
2023-07-21 19:56 ` Jamal Hadi Salim
2023-07-23 7:25 ` M A Ramdhan
2023-07-25 12:57 ` Paolo Abeni
2023-07-25 19:05 ` valis
2023-07-25 20:09 ` Jakub Kicinski
2023-07-25 21:36 ` valis
2023-07-25 22:03 ` Jakub Kicinski
2023-07-26 4:07 ` Greg Kroah-Hartman
2023-07-26 13:59 ` Jamal Hadi Salim
2023-07-26 15:25 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACSEBQQdOJAX1yqDMLb_yQMpU2yoUShhS_pCSDndWepxfw3Rsw@mail.gmail.com \
--to=ramdhan@starlabs.sg \
--cc=billy@starlabs.sg \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pctammela@mojatatu.com \
--cc=sec@valis.email \
--cc=victor@mojatatu.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).