refs/tags/android-14.0.0_r0.47 - kernel/msm.git

tag	523115fce1de01bb435d02525315ecce7aeaaccd
tagger	The Android Open Source Project <initial-contribution@android.com>	Tue Feb 06 11:39:09 2024 -0800
object	7b0944645172e8b690d42f68c8973ccb0ca45730

Android 14.0.0 Release 0.47 (UP1A.231105.001.B2,bramble/redfin)

commit	7b0944645172e8b690d42f68c8973ccb0ca45730	[log] [tgz]
author	M A Ramdhan <ramdhan@starlabs.sg>	Wed Jul 05 12:15:30 2023 -0400
committer	Pindar Yang <pindaryang@google.com>	Thu Sep 07 05:43:03 2023 +0000
tree	590052e86eca5409d468adc8e4d15181acb5b856
parent	1f0f7f32382465b374864ad5b0fb2c02ceb3ba07 [diff]

UPSTREAM: net/sched: cls_fw: Fix improper refcount update leads to use-after-free

[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ]

In the event of a failure in tcf_change_indev(), fw_set_parms() will
immediately return an error after incrementing or decrementing
reference counter in tcf_bind_filter().  If attacker can control
reference counter to zero and make reference freed, leading to
use after free.

In order to prevent this, move the point of possible failure above the
point where the TC_FW_CLASSID is handled.

Bug: 292252062
Bug: 290783303
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c91fb29bb07ee4dd40aabd1e41f19c0f92ac3199)
Signed-off-by: Lee Jones <joneslee@google.com>
(cherry picked from commit a89c7b9715e2d482a08b58b698f0cf37da373070)
Signed-off-by: Pindar Yang <pindaryang@google.com>
Change-Id: I9bf6f540b4eb23ea5641fb3efe6f3e621d7b6151

net/sched/cls_fw.c[diff]

1 file changed

tree: 590052e86eca5409d468adc8e4d15181acb5b856