[PATCH openEuler-1.0-LTS 0/2] CVE-2021-47668
CVE fix. Alejandro Concepcion Rodriguez (1): can: dev: can_restart(): post buffer from the right context Vincent Mailhol (1): can: dev: can_restart: fix use after free bug drivers/net/can/dev/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/16082 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/YXC... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/16082 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/YXC...
From: Alejandro Concepcion Rodriguez <alejandro@acoro.eu> stable inclusion from stable-v4.19.160 commit cef79b5249ea3bf7889f222999a3bcbc560d9a41 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC21UW CVE: CVE-2021-47668 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit a1e654070a60d5d4f7cce59c38f4ca790bb79121 ] netif_rx() is meant to be called from interrupt contexts. can_restart() may be called by can_restart_work(), which is called from a worqueue, so it may run in process context. Use netif_rx_ni() instead. Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Co-developed-by: Loris Fauster <loris.fauster@ttcontrol.com> Signed-off-by: Loris Fauster <loris.fauster@ttcontrol.com> Signed-off-by: Alejandro Concepcion Rodriguez <alejandro@acoro.eu> Link: https://lore.kernel.org/r/4e84162b-fb31-3a73-fa9a-9438b4bd5234@acoro.eu [mkl: use netif_rx_ni() instead of netif_rx_any_context()] Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: drivers/net/can/dev.c [File name change from commit 3e77f70e7345("can: dev: move driver related infrastructure into separate subdir"), which has merged.] Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- drivers/net/can/dev/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 5667f1ebd8e7..1733f07b3b6a 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -577,7 +577,7 @@ static void can_restart(struct net_device *dev) } cf->can_id |= CAN_ERR_RESTARTED; - netif_rx(skb); + netif_rx_ni(skb); stats->rx_packets++; stats->rx_bytes += cf->can_dlc; -- 2.25.1
From: Vincent Mailhol <mailhol.vincent@wanadoo.fr> stable inclusion from stable-v4.19.171 commit 08ab951787098ae0b6c0364aeea7a8138226f234 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC21UW CVE: CVE-2021-47668 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ] After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the netif_rx_ni() in: stats->rx_bytes += cf->len; Reordering the lines solves the issue. Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: drivers/net/can/dev.c [File name change from commit 3e77f70e7345("can: dev: move driver related infrastructure into separate subdir"), which has merged.] Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- drivers/net/can/dev/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 1733f07b3b6a..1da917fde8bd 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -577,11 +577,11 @@ static void can_restart(struct net_device *dev) } cf->can_id |= CAN_ERR_RESTARTED; - netif_rx_ni(skb); - stats->rx_packets++; stats->rx_bytes += cf->can_dlc; + netif_rx_ni(skb); + restart: netdev_dbg(dev, "restarted\n"); priv->can_stats.restarts++; -- 2.25.1
participants (2)
-
Gu Bowen -
patchwork bot