Patch "[PATCH 5.15 6.1] gve: Fix use-after-free vulnerability" has been added to the 5.15-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Fri, 02 Feb 2024 17:30:02 -0800

This is a note to let you know that I've just added the patch titled

    [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     gve-fix-use-after-free-vulnerability.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From pkaligineedi@xxxxxxxxxx  Fri Feb  2 17:28:54 2024
From: Praveen Kaligineedi <pkaligineedi@xxxxxxxxxx>
Date: Tue, 30 Jan 2024 13:45:07 -0800
Subject: [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability
To: stable@xxxxxxxxxxxxxxx
Cc: gregkh@xxxxxxxxxxxxxxxxxxx, Bailey Forrest <bcf@xxxxxxxxxx>,  Praveen Kaligineedi <pkaligineedi@xxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>,  Jeroen de Borst <jeroendb@xxxxxxxxxx>, Kevin DeCabooter <decabooter@xxxxxxxxxx>
Message-ID: <20240130214507.3391252-1-pkaligineedi@xxxxxxxxxx>

From: Praveen Kaligineedi <pkaligineedi@xxxxxxxxxx>

From: Bailey Forrest <bcf@xxxxxxxxxx>

Call skb_shinfo() after gve_prep_tso() on DQO TX path.
gve_prep_tso() calls skb_cow_head(), which may reallocate
shinfo causing a use after free.

This bug was unintentionally fixed by 'a6fb8d5a8b69
("gve: Tx path for DQO-QPL")' while adding DQO-QPL format
support in 6.6. That patch is not appropriate for stable releases.

Fixes: a57e5de476be ("gve: DQO: Add TX path")
Signed-off-by: Praveen Kaligineedi <pkaligineedi@xxxxxxxxxx>
Signed-off-by: Bailey Forrest <bcf@xxxxxxxxxx>
Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Reviewed-by: Jeroen de Borst <jeroendb@xxxxxxxxxx>
Reviewed-by: Kevin DeCabooter <decabooter@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/net/ethernet/google/gve/gve_tx_dqo.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
@@ -350,6 +350,7 @@ static void gve_tx_fill_pkt_desc_dqo(str
 /* Validates and prepares `skb` for TSO.
  *
  * Returns header length, or < 0 if invalid.
+ * Warning : Might change skb->head (and thus skb_shinfo).
  */
 static int gve_prep_tso(struct sk_buff *skb)
 {
@@ -451,8 +452,8 @@ gve_tx_fill_general_ctx_desc(struct gve_
 static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx,
 				      struct sk_buff *skb)
 {
-	const struct skb_shared_info *shinfo = skb_shinfo(skb);
 	const bool is_gso = skb_is_gso(skb);
+	struct skb_shared_info *shinfo;
 	u32 desc_idx = tx->dqo_tx.tail;
 
 	struct gve_tx_pending_packet_dqo *pkt;
@@ -477,6 +478,8 @@ static int gve_tx_add_skb_no_copy_dqo(st
 		desc_idx = (desc_idx + 1) & tx->mask;
 	}
 
+	/* Must get after gve_prep_tso(), which can change shinfo. */
+	shinfo = skb_shinfo(skb);
 	gve_tx_fill_general_ctx_desc(&tx->dqo.tx_ring[desc_idx].general_ctx,
 				     &metadata);
 	desc_idx = (desc_idx + 1) & tx->mask;


Patches currently in stable-queue which might be from pkaligineedi@xxxxxxxxxx are

queue-5.15/gve-fix-use-after-free-vulnerability.patch







