On Tue, Aug 9, 2022 at 1:06 PM Thadeu Lima de Souza Cascardo
<cascardo@xxxxxxxxxxxxx> wrote:
>
> When a route filter is replaced and the old filter has a 0 handle, the old
> one won't be removed from the hashtable, while it will still be freed.
>
> The test was there since before commit 1109c00547fc ("net: sched: RCU
> cls_route"), when a new filter was not allocated when there was an old one.
> The old filter was reused and the reinserting would only be necessary if an
> old filter was replaced. That was still wrong for the same case where the
> old handle was 0.
>
> Remove the old filter from the list independently from its handle value.
>
> This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.
>
> Reported-by: Zhenpeng Lin <zplin@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
> Reviewed-by: Kamal Mostafa <kamal@xxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Cc: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
cheers,
jamal
