net/sched: cls_fw: Fix improper refcount update leads to use-after-free
[ Upstream commit 0323bce5 ] In the event of a failure in tcf_change_indev(), fw_set_parms() will immediately return an error after incrementing or decrementing reference counter in tcf_bind_filter(). If attacker can control reference counter to zero and make reference freed, leading to use after free. In order to prevent this, move the point of possible failure above the point where the TC_FW_CLASSID is handled. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Reported-by:M A Ramdhan <ramdhan@starlabs.sg> Signed-off-by:
Jamal Hadi Salim <jhs@mojatatu.com> Reviewed-by:
Pedro Tammela <pctammela@mojatatu.com> Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> Signed-off-by:
Jakub Kicinski <kuba@kernel.org> Signed-off-by:
Sasha Levin <sashal@kernel.org>
Loading
-
mentioned in commit 4196d8b1
-
mentioned in commit a4fd973a
-
mentioned in commit cdb564cd
-
mentioned in commit a6d79158
-
mentioned in commit f686a35a
-
mentioned in commit 11518ebf
-
mentioned in commit 8f79a0c5
-
mentioned in commit 183e0722
-
mentioned in commit f23f00da
-
mentioned in commit 889326fe
-
mentioned in commit 0f62804d
-
mentioned in commit bad8adda
-
mentioned in commit 6da2e53f
-
mentioned in commit 40eee8ea
-
mentioned in commit 2e278471
-
mentioned in commit 9aa9fcda
-
mentioned in commit 18864fb4
-
mentioned in commit 1ebc5813
-
mentioned in commit b035018d
-
mentioned in commit 60c9755e
-
mentioned in commit 4cfdbaab
-
mentioned in commit 8a444658
-
mentioned in commit 4554a46a
-
mentioned in commit 4791f042
-
mentioned in commit b52312c1
-
mentioned in commit 3db0d04a
-
mentioned in commit 769612f5
Please sign in to comment