Google Git
Sign in
cos / third_party / kernel / 35d9e3b6697ba2ffbb1510ad8882a4cbf22cbd84
commit35d9e3b6697ba2ffbb1510ad8882a4cbf22cbd84[log] [tgz]
authorPierre Riteau <[email protected]>Thu Feb 13 23:36:10 2025 +0100
committerArnav Kansal <[email protected]>Sat Mar 15 14:16:44 2025 -0700
treec1ed9d0cddc5491939c38db4a8bf631f7b1845c2
parentc06af89ced34c1b1328f305f99abc55cd3f496f5 [diff]
net/sched: cls_api: fix error handling causing NULL dereference

[ Upstream commit 071ed42cff4fcdd89025d966d48eabef59913bf2 ]

tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can
return 1 if the allocation succeeded after wrapping. This was treated as
an error, with value 1 returned to caller tcf_exts_init_ex() which sets
exts->actions to NULL and returns 1 to caller fl_change().

fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()
which calls tcf_action_init() with exts->actions as argument, where it
is dereferenced.

Example trace:

BUG: kernel NULL pointer dereference, address: 0000000000000000
CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1
RIP: 0010:tcf_action_init+0x1f8/0x2c0
Call Trace:
 tcf_action_init+0x1f8/0x2c0
 tcf_exts_validate_ex+0x175/0x190
 fl_change+0x537/0x1120 [cls_flower]

BUG=b/403502768
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2025-21857 in the Linux kernel.

cos-patch: security-moderate
Fixes: 80cd22c35c90 ("net/sched: cls_api: Support hardware miss to tc action")
Change-Id: I41f7ad432dae767b936e0a74a8d1fb1b0dc6d28e
Signed-off-by: Pierre Riteau <[email protected]>
Reviewed-by: Michal Swiatkowski <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Kernel CVE Triage Automation <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/96068
Tested-by: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Arnav Kansal <[email protected]>
Reviewed-by: Shuo Yang <[email protected]>
1 file changed
tree: c1ed9d0cddc5491939c38db4a8bf631f7b1845c2
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. google/
  9. include/
  10. init/
  11. io_uring/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. rust/
  19. samples/
  20. scripts/
  21. security/
  22. sound/
  23. tools/
  24. usr/
  25. virt/
  26. .clang-format
  27. .cocciconfig
  28. .get_maintainer.ignore
  29. .gitattributes
  30. .gitignore
  31. .mailmap
  32. .rustfmt.toml
  33. COPYING
  34. CREDITS
  35. Kbuild
  36. Kconfig
  37. MAINTAINERS
  38. Makefile
  39. PRESUBMIT.cfg
  40. README