Android 14.0.0 Release 0.47 (UP1A.231105.001.B2,bramble/redfin)
UPSTREAM: net/sched: cls_fw: Fix improper refcount update leads to use-after-free
[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ]
In the event of a failure in tcf_change_indev(), fw_set_parms() will
immediately return an error after incrementing or decrementing
reference counter in tcf_bind_filter(). If attacker can control
reference counter to zero and make reference freed, leading to
use after free.
In order to prevent this, move the point of possible failure above the
point where the TC_FW_CLASSID is handled.
Bug: 292252062
Bug: 290783303
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c91fb29bb07ee4dd40aabd1e41f19c0f92ac3199)
Signed-off-by: Lee Jones <joneslee@google.com>
(cherry picked from commit a89c7b9715e2d482a08b58b698f0cf37da373070)
Signed-off-by: Pindar Yang <pindaryang@google.com>
Change-Id: I9bf6f540b4eb23ea5641fb3efe6f3e621d7b6151
1 file changed