Merge: net/sched: Fix UAF when resolving a clash

zampierilucas · zampierilucas · commit 3ec35f3818fa · 2024-08-16T14:25:04.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/4942 JIRA: https://issues.redhat.com/browse/RHEL-51020 CVE: CVE-2024-41040 Tested: compile only Signed-off-by: Xin Long <lxin@redhat.com> Approved-by: Florian Westphal <fwestpha@redhat.com> Approved-by: Hangbin Liu <haliu@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Lucas Zampieri <lzampier@redhat.com>
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
@@ -1079,6 +1079,14 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 		 */
 		if (nf_conntrack_confirm(skb) != NF_ACCEPT)
 			goto drop;
+
+		/* The ct may be dropped if a clash has been resolved,
+		 * so it's necessary to retrieve it from skb again to
+		 * prevent UAF.
+		 */
+		ct = nf_ct_get(skb, &ctinfo);
+		if (!ct)
+			skip_add = true;
 	}
 
 	if (!skip_add)
