diff --git a/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch new file mode 100644 index 0000000..c6c5d55 --- /dev/null +++ b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch @@ -0,0 +1,52 @@ +From: Jakub Kicinski +Date: Mon, 13 Feb 2023 22:53:55 -0800 +Subject: net: mpls: fix stale pointer if allocation fails during device rename +Patch-mainline: v6.2 +Git-commit: fda6c89fe3d9aca073495a664e1d5aea28cd4377 +References: bsc#1208700 CVE-2023-26545 + +lianhui reports that when MPLS fails to register the sysctl table +under new location (during device rename) the old pointers won't +get overwritten and may be freed again (double free). + +Handle this gracefully. The best option would be unregistering +the MPLS from the device completely on failure, but unfortunately +mpls_ifdown() can fail. So failing fully is also unreliable. + +Another option is to register the new table first then only +remove old one if the new one succeeds. That requires more +code, changes order of notifications and two tables may be +visible at the same time. + +sysctl point is not used in the rest of the code - set to NULL +on failures and skip unregister if already NULL. + +Reported-by: lianhui tang +Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/mpls/af_mpls.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(stru + free: + kfree(table); + out: ++ mdev->sysctl = NULL; + return -ENOBUFS; + } + +@@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(s + struct net *net = dev_net(dev); + struct ctl_table *table; + ++ if (!mdev->sysctl) ++ return; ++ + table = mdev->sysctl->ctl_table_arg; + unregister_net_sysctl_table(mdev->sysctl); + kfree(table); diff --git a/series.conf b/series.conf index a849b54..1b63c86 100644 --- a/series.conf +++ b/series.conf @@ -23059,6 +23059,7 @@ patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch patches.suse/HID-check-empty-report_list-in-bigben_probe.patch patches.suse/HID-betop-check-shape-of-output-reports.patch + patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch # netdev/net patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch