From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A457129EF7; Mon, 18 Dec 2023 14:05:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="EL4esRLQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A6983C433C8; Mon, 18 Dec 2023 14:05:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1702908314; bh=3ry8tT3fXKMbWtw9Xm3ieXUUvIvirqsmI9uCC7NOmpY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EL4esRLQiEiTv3hwA4q/13d4hfZwIf7UJBsqId5SJWmgrTwp8+YRd4qrCH4tvk25l z9NFIMQnImJh6btjkgFHENsgfFQHK1Nrfif+bpGwPKMqI0tCb/bPETJq0vFnj3EOWA 5tGNlamVHNou2P3qiZjysg81VB6tkw6xUcZ5J9u8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Florent Revest , Jiri Pirko , Hangbin Liu , Jakub Kicinski Subject: [PATCH 6.6 132/166] team: Fix use-after-free when an option instance allocation fails Date: Mon, 18 Dec 2023 14:51:38 +0100 Message-ID: <20231218135110.997479166@linuxfoundation.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231218135104.927894164@linuxfoundation.org> References: <20231218135104.927894164@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florent Revest commit c12296bbecc488623b7d1932080e394d08f3226b upstream. In __team_options_register, team_options are allocated and appended to the team's option_list. If one option instance allocation fails, the "inst_rollback" cleanup path frees the previously allocated options but doesn't remove them from the team's option_list. This leaves dangling pointers that can be dereferenced later by other parts of the team driver that iterate over options. This patch fixes the cleanup path to remove the dangling pointers from the list. As far as I can tell, this uaf doesn't have much security implications since it would be fairly hard to exploit (an attacker would need to make the allocation of that specific small object fail) but it's still nice to fix. Cc: stable@vger.kernel.org Fixes: 80f7c6683fe0 ("team: add support for per-port options") Signed-off-by: Florent Revest Reviewed-by: Jiri Pirko Reviewed-by: Hangbin Liu Link: https://lore.kernel.org/r/20231206123719.1963153-1-revest@chromium.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- drivers/net/team/team.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -281,8 +281,10 @@ static int __team_options_register(struc return 0; inst_rollback: - for (i--; i >= 0; i--) + for (i--; i >= 0; i--) { __team_option_inst_del_option(team, dst_opts[i]); + list_del(&dst_opts[i]->list); + } i = option_count; alloc_rollback: