linux/net/sched
Wolfgang Bumiller e0535ce58b net sched actions: allocate act cookie early
Policing filters do not use the TCA_ACT_* enum and the tb[]
nlattr array in tcf_action_init_1() doesn't get filled for
them so we should not try to look for a TCA_ACT_COOKIE
attribute in the then uninitialized array.
The error handling in cookie allocation then calls
tcf_hash_release() leading to invalid memory access later
on.
Additionally, if cookie allocation fails after an already
existing non-policing filter has successfully been changed,
tcf_action_release() should not be called, also we would
have to roll back the changes in the error handling, so
instead we now allocate the cookie early and assign it on
success at the end.

CVE-2017-7979
Fixes: 1045ba77a5 ("net sched actions: Add support for user cookies")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 16:32:07 -04:00
..
act_api.c net sched actions: allocate act cookie early 2017-04-20 16:32:07 -04:00
act_bpf.c bpf: rework prog_digest into prog_tag 2017-01-16 14:03:31 -05:00
act_connmark.c act_connmark: avoid crashing on malformed nlattrs with null parms 2017-03-12 23:32:41 -07:00
act_csum.c net/sched: act_csum: compute crc32c on SCTP packets 2017-01-09 14:36:57 -05:00
act_gact.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
act_ife.c net/sched: act_ife: Change to use ife module 2017-02-03 15:16:46 -05:00
act_ipt.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net/sched: act_mirred: remove duplicated include from act_mirred.c 2017-02-07 11:42:34 -05:00
act_nat.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
act_pedit.c net/act_pedit: Introduce 'add' operation 2017-02-10 13:18:33 -05:00
act_police.c net_sched: gen_estimator: complete rewrite of rate estimators 2016-12-05 15:21:59 -05:00
act_sample.c net/sched: act_psample: Remove unnecessary ASSERT_RTNL 2017-02-01 14:10:03 -05:00
act_simple.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
act_skbedit.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
act_skbmod.c net/sched: act_skbmod: remove unneeded rcu_read_unlock in tcf_skbmod_dump 2017-03-07 14:13:03 -08:00
act_tunnel_key.c net/sched: act_tunnel_key: Fix setting UDP dst port in metadata under IPv6 2016-12-23 11:59:56 -05:00
act_vlan.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
cls_api.c sched: Fix accidental removal of errout goto 2017-02-14 11:44:14 -05:00
cls_basic.c net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_bpf.c net/sched: cls_bpf: Reflect HW offload status 2017-02-17 12:08:06 -05:00
cls_cgroup.c net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_flow.c skbuff: add and use skb_nfct helper 2017-02-02 14:31:53 +01:00
cls_flower.c net/sched: cls_flower: Reflect HW offload status 2017-02-17 12:08:05 -05:00
cls_fw.c
cls_matchall.c net/sched: cls_matchall: Reflect HW offloading status 2017-02-17 12:08:06 -05:00
cls_route.c
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_tcindex.c net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_u32.c net/sched: cls_u32: Reflect HW offload status 2017-02-17 12:08:06 -05:00
em_canid.c
em_cmp.c
em_ipset.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
em_meta.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/loadavg.h> 2017-03-02 08:42:27 +01:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c
Kconfig net/sched: act_ife: Change to use ife module 2017-02-03 15:16:46 -05:00
Makefile net/sched: Introduce sample tc action 2017-01-24 13:44:28 -05:00
sch_api.c pkt_sched: Remove useless qdisc_stab_lock 2017-02-17 15:10:18 -05:00
sch_atm.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_blackhole.c
sch_cbq.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_choke.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_codel.c
sch_drr.c net_sched: gen_estimator: complete rewrite of rate estimators 2016-12-05 15:21:59 -05:00
sch_dsmark.c sch_dsmark: fix invalid skb_cow() usage 2017-03-21 17:21:27 -07:00
sch_fifo.c
sch_fq_codel.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_fq.c net_sched: sch_fq: use rb_entry() 2016-12-20 14:22:48 -05:00
sch_generic.c net_sched: check noop_qdisc before qdisc_hash_add() 2017-04-06 12:28:39 -07:00
sch_gred.c
sch_hfsc.c net_sched: gen_estimator: complete rewrite of rate estimators 2016-12-05 15:21:59 -05:00
sch_hhf.c net_sched: fix error recovery at qdisc creation 2017-02-11 21:38:58 -05:00
sch_htb.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_ingress.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_mq.c net_sched: fix error recovery at qdisc creation 2017-02-11 21:38:58 -05:00
sch_mqprio.c net_sched: fix error recovery at qdisc creation 2017-02-11 21:38:58 -05:00
sch_multiq.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_netem.c net-tc: convert tc_from to tc_from_ingress and tc_redirected 2017-01-08 20:58:52 -05:00
sch_pie.c
sch_plug.c
sch_prio.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_qfq.c net_sched: gen_estimator: complete rewrite of rate estimators 2016-12-05 15:21:59 -05:00
sch_red.c
sch_sfb.c sched: move tcf_proto_destroy and tcf_destroy_chain helpers into cls_api 2017-02-10 11:38:08 -05:00
sch_sfq.c net_sched: fix error recovery at qdisc creation 2017-02-11 21:38:58 -05:00
sch_tbf.c
sch_teql.c net: make ndo_get_stats64 a void function 2017-01-08 17:51:44 -05:00