From: Andrea Mayer andrea.mayer@uniroma2.it
mainline inclusion from mainline-v6.10-rc1 commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2 CVE: CVE-2024-39490
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak.
This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks.
The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails.
Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") Signed-off-by: Andrea Mayer andrea.mayer@uniroma2.it Reviewed-by: Simon Horman horms@kernel.org Reviewed-by: David Ahern dsahern@kernel.org Signed-off-by: David S. Miller davem@davemloft.net Conflicts: net/ipv6/seg6_iptunnel.c [commit 7a3f5b0de364 add seg6_input_core() to seg6_input() for netfilter hooks of SRv6, which lead to context conflicts] Signed-off-by: Dong Chenchen dongchenchen2@huawei.com --- net/ipv6/seg6_iptunnel.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c index 40ac23242c37..ab2a606fdb65 100644 --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -318,10 +318,8 @@ static int seg6_input(struct sk_buff *skb) int err;
err = seg6_do_srh(skb); - if (unlikely(err)) { - kfree_skb(skb); - return err; - } + if (unlikely(err)) + goto drop;
slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
@@ -346,9 +344,12 @@ static int seg6_input(struct sk_buff *skb)
err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); if (unlikely(err)) - return err; + goto drop;
return dst_input(skb); +drop: + kfree_skb(skb); + return err; }
static int seg6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/11026 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/P...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/11026 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/P...