On Thu, Jul 27, 2023 at 05:46:28PM +0000, SeongJae Park wrote:
> From: M A Ramdhan <ramdhan@xxxxxxxxxxx>
>
> [ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ]
>
> In the event of a failure in tcf_change_indev(), fw_set_parms() will
> immediately return an error after incrementing or decrementing
> reference counter in tcf_bind_filter(). If attacker can control
> reference counter to zero and make reference freed, leading to
> use after free.
>
> In order to prevent this, move the point of possible failure above the
> point where the TC_FW_CLASSID is handled.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: M A Ramdhan <ramdhan@xxxxxxxxxxx>
> Signed-off-by: M A Ramdhan <ramdhan@xxxxxxxxxxx>
> Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
> Reviewed-by: Pedro Tammela <pctammela@xxxxxxxxxxxx>
> Message-ID: <20230705161530.52003-1-ramdhan@xxxxxxxxxxx>
> Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
> Signed-off-by: SeongJae Park <sj@xxxxxxxxxx>
> ---
> net/sched/cls_fw.c | 10 +++++-----
Both now queued up, thanks.
greg k-h
