DEBIAN-CVE-2023-54193

In the Linux kernel, the following vulnerability has been resolved: net/sched: clsapi: remove blockcb from driverlist before freeing Error handler of tcfblockbind() frees the whole bo->cblist on error. However, by that time the flowblockcb instances are already in the driver list because driver ndosetuptc() callback is called before that up the call chain in tcfblockoffloadcmd(). This leaves dangling pointers to freed objects in the list and causes use-after-free[0]. Fix it by also removing flowblockcb instances from driverlist before deallocating them. [0]: [ 279.868433] ================================================================== [ 279.869964] BUG: KASAN: slab-use-after-free in flowblockcbsetupsimple+0x631/0x7c0 [ 279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963 [ 279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4 [ 279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 279.876295] Call Trace: [ 279.876882] <TASK> [ 279.877413] dumpstacklvl+0x33/0x50 [ 279.878198] printreport+0xc2/0x610 [ 279.878987] ? flowblockcbsetupsimple+0x631/0x7c0 [ 279.879994] kasanreport+0xae/0xe0 [ 279.880750] ? flowblockcbsetupsimple+0x631/0x7c0 [ 279.881744] ? mlx5etcreoffloadflowswork+0x240/0x240 [mlx5core] [ 279.883047] flowblockcbsetupsimple+0x631/0x7c0 [ 279.884027] tcfblockoffloadcmd.isra.0+0x189/0x2d0 [ 279.885037] ? tcfblocksetup+0x6b0/0x6b0 [ 279.885901] ? mutex_lock+0x7d/0xd0 [ 279.886669] ? __mutexunlockslowpath.constprop.0+0x2d0/0x2d0 [ 279.887844] ? ingressinit+0x1c0/0x1c0 [schingress] [ 279.888846] tcfblockgetext+0x61c/0x1200 [ 279.889711] ingressinit+0x112/0x1c0 [schingress] [ 279.890682] ? clsactinit+0x2b0/0x2b0 [schingress] [ 279.891701] qdisccreate+0x401/0xea0 [ 279.892485] ? qdisctreereducebacklog+0x470/0x470 [ 279.893473] tcmodifyqdisc+0x6f7/0x16d0 [ 279.894344] ? tcgetqdisc+0xac0/0xac0 [ 279.895213] ? mutexlock+0x7d/0xd0 [ 279.896005] ? __mutexlockslowpath+0x10/0x10 [ 279.896910] rtnetlink_rcvmsg+0x5fe/0x9d0 [ 279.897770] ? rtnlcalcit.isra.0+0x2b0/0x2b0 [ 279.898672] ? __syssendmsg+0xb5/0x140 [ 279.899494] ? dosyscall64+0x3d/0x90 [ 279.900302] ? entrySYSCALL64afterhwframe+0x46/0xb0 [ 279.901337] ? kasansavestack+0x2e/0x40 [ 279.902177] ? kasansavestack+0x1e/0x40 [ 279.903058] ? kasansettrack+0x21/0x30 [ 279.903913] ? kasansavefreeinfo+0x2a/0x40 [ 279.904836] ? ____kasanslabfree+0x11a/0x1b0 [ 279.905741] ? kmemcachefree+0x179/0x400 [ 279.906599] netlinkrcvskb+0x12c/0x360 [ 279.907450] ? rtnlcalcit.isra.0+0x2b0/0x2b0 [ 279.908360] ? netlinkack+0x1550/0x1550 [ 279.909192] ? rhashtablewalkpeek+0x170/0x170 [ 279.910135] ? kmemcacheallocnode+0x1af/0x390 [ 279.911086] ? copyfromiter+0x3d6/0xc70 [ 279.912031] netlinkunicast+0x553/0x790 [ 279.912864] ? netlinkattachskb+0x6a0/0x6a0 [ 279.913763] ? netlinkrecvmsg+0x416/0xb50 [ 279.914627] netlinksendmsg+0x7a1/0xcb0 [ 279.915473] ? netlinkunicast+0x790/0x790 [ 279.916334] ? iovecfromuser.part.0+0x4d/0x220 [ 279.917293] ? netlinkunicast+0x790/0x790 [ 279.918159] sock_sendmsg+0xc5/0x190 [ 279.918938] ____syssendmsg+0x535/0x6b0 [ 279.919813] ? importiovec+0x7/0x10 [ 279.920601] ? kernel_sendmsg+0x30/0x30 [ 279.921423] ? __copymsghdr+0x3c0/0x3c0 [ 279.922254] ? importiovec+0x7/0x10 [ 279.923041] ___syssendmsg+0xeb/0x170 [ 279.923854] ? copymsghdrfromuser+0x110/0x110 [ 279.924797] ? ___sys_recvmsg+0xd9/0x130 [ 279.925630] ? __perfeventtaskschedin+0x183/0x470 [ 279.926656] ? ___syssendmsg+0x170/0x170 [ 279.927529] ? ctxschedin+0x530/0x530 [ 279.928369] ? updatecurr+0x283/0x4f0 [ 279.929185] ? perf_eventupdateuserpage+0x570/0x570 [ 279.930201] ? __fget_light+0x57/0x520 [ 279.931023] ? _switchto+0x53d/0xe70 [ 27 ---truncated---