From: Andrea Mayer andrea.mayer@uniroma2.it

mainline inclusion from mainline-v6.10-rc1 commit 271201c09c86cd75e0fd6206bde689176e85aa21 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2 CVE: CVE-2024-39490

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak.

This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks.

The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails.

Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") Signed-off-by: Andrea Mayer andrea.mayer@uniroma2.it Reviewed-by: Simon Horman horms@kernel.org Reviewed-by: David Ahern dsahern@kernel.org Signed-off-by: David S. Miller davem@davemloft.net Conflicts: net/ipv6/seg6_iptunnel.c [commit 7a3f5b0de364 add seg6_input_core() to seg6_input() for netfilter hooks of SRv6, which lead to context conflicts] Signed-off-by: Dong Chenchen dongchenchen2@huawei.com --- net/ipv6/seg6_iptunnel.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c index 40ac23242c37..ab2a606fdb65 100644 --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -318,10 +318,8 @@ static int seg6_input(struct sk_buff *skb) int err;

err = seg6_do_srh(skb); - if (unlikely(err)) { - kfree_skb(skb); - return err; - } + if (unlikely(err)) + goto drop;

slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);

@@ -346,9 +344,12 @@ static int seg6_input(struct sk_buff *skb)

err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); if (unlikely(err)) - return err; + goto drop;

return dst_input(skb); +drop: + kfree_skb(skb); + return err; }

static int seg6_output(struct net *net, struct sock *sk, struct sk_buff *skb)