android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c91fb29bb0
android_kernel_samsung_sm8650/net
History
M A Ramdhan c91fb29bb0 net/sched: cls_fw: Fix improper refcount update leads to use-after-free 
[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ]

In the event of a failure in tcf_change_indev(), fw_set_parms() will
immediately return an error after incrementing or decrementing
reference counter in tcf_bind_filter().  If attacker can control
reference counter to zero and make reference freed, leading to
use after free.

In order to prevent this, move the point of possible failure above the
point where the TC_FW_CLASSID is handled.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-07-23 13:49:22 +02:00
..
6lowpan net: 6lowpan: constify lowpan_nhc structures 2022-06-09 21:53:28 +02:00
9p 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition 2023-04-20 12:35:08 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:33:02 +01:00
8021q vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 2023-05-24 17:32:47 +01:00
appletalk net: remove noblock parameter from skb_recv_datagram() 2022-04-06 13:45:26 +01:00
atm atm: hide unused procfs functions 2023-06-09 10:34:16 +02:00
ax25 ax25: move from strlcpy with unused retval to strscpy 2022-08-22 17:55:50 -07:00
batman-adv batman-adv: Broken sync while rescheduling delayed work 2023-06-14 11:15:23 +02:00
bluetooth Bluetooth: MGMT: Fix marking SCAN_RSP as not connectable 2023-07-19 16:22:02 +02:00
bpf Revert "bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES" 2023-03-17 08:50:32 +01:00
bpfilter uaccess: remove CONFIG_SET_FS 2022-02-25 09:36:06 +01:00
bridge net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode 2023-07-19 16:22:04 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:50:24 +01:00
can can: isotp: isotp_sendmsg(): fix return error fix on TX path 2023-07-01 13:16:23 +02:00
ceph use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
core netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-19 16:21:13 +02:00
dcb net: dcb: disable softirqs in dcbnl_flush_dev() 2022-03-03 08:01:55 -08:00
dccp netfilter: keep conntrack reference until IPsecv6 policy checks are done 2023-05-11 23:03:18 +09:00
dns_resolver
dsa net: dsa: sja1105: always enable the send_meta options 2023-07-19 16:22:06 +02:00
ethernet net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
ethtool ethtool: Fix uninitialized number of lanes 2023-05-17 11:53:37 +02:00
hsr hsr: ratelimit only when errors are printed 2023-04-06 12:10:58 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife
ipv4 tcp: annotate data races in __tcp_oow_rate_limited() 2023-07-19 16:22:05 +02:00
ipv6 xfrm: Linearize the skb after offloading if needed. 2023-06-28 11:12:29 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:33:50 +01:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-15 12:42:26 +01:00
key af_key: Reject optional tunnel/BEET mode templates in outbound policies 2023-05-24 17:32:43 +01:00
l2tp inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). 2023-04-26 14:28:43 +02:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-15 14:27:24 -07:00
lapb
llc net: deal with most data-races in sk_wait_event() 2023-05-24 17:32:32 +01:00
mac80211 wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam 2023-07-19 16:21:09 +02:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-05 09:53:08 +01:00
mctp net: mctp: purge receive queues on sk destruction 2023-02-06 08:06:34 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:59:53 +01:00
mptcp mptcp: ensure listener is unhashed before updating the sk status 2023-07-01 13:16:22 +02:00
ncsi net/ncsi: clear Tx enable mode when handling a Config required AEN 2023-05-17 11:53:32 +02:00
netfilter netfilter: nf_tables: prevent OOB access in nft_byteorder_eval 2023-07-19 16:22:17 +02:00
netlabel genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-19 16:21:13 +02:00
netrom netrom: fix info-leak in nr_write_internal() 2023-06-09 10:34:01 +02:00
nfc net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
nsh net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-24 17:32:45 +01:00
openvswitch net: openvswitch: fix race on port output 2023-04-20 12:35:09 +02:00
packet af_packet: do not use READ_ONCE() in packet_bind() 2023-06-09 10:34:02 +02:00
phonet net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
psample genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-20 12:35:09 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-10 09:33:02 +01:00
rfkill rfkill: make new event layout opt-in 2022-03-18 13:09:17 +02:00
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:59:42 +01:00
rxrpc rxrpc: Fix hard call timeout units 2023-05-17 11:53:35 +02:00
sched net/sched: cls_fw: Fix improper refcount update leads to use-after-free 2023-07-23 13:49:22 +02:00
sctp sctp: fix potential deadlock on &net->sctp.addr_wq_lock 2023-07-19 16:22:00 +02:00
smc net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT 2023-06-14 11:15:17 +02:00
strparser strparser: pad sk_skb_cb to avoid straddling cachelines 2022-07-08 18:38:44 -07:00
sunrpc SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 2023-07-19 16:21:48 +02:00
switchdev net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
tipc net: tipc: resize nlattr array to correct size 2023-06-21 16:01:02 +02:00
tls tls: rx: strp: don't use GFP_KERNEL in softirq context 2023-06-09 10:34:29 +02:00
unix bpf, sockmap: Pass skb ownership through read_skb 2023-06-05 09:26:18 +02:00
vmw_vsock vsock: avoid to close connected socket after the timeout 2023-05-24 17:32:44 +01:00
wireless wifi: cfg80211: fix regulatory disconnect for non-MLO 2023-07-19 16:22:09 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-02-09 11:28:13 +01:00
xdp xsk: Honor SO_BINDTODEVICE on bind 2023-07-19 16:22:05 +02:00
xfrm xfrm: Ensure policies always checked on XFRM-I input path 2023-06-28 11:12:28 +02:00
compat.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
devres.c
Kconfig Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
socket.c net: annotate sk->sk_err write from do_recvmmsg() 2023-05-24 17:32:32 +01:00
sysctl_net.c