Commit 5006da8c authored May 08, 2024 by Jason A. Donenfeld Committed by Yang Yingliang May 08, 2024

wireguard: netlink: access device through ctx instead of peer

stable inclusion
from stable-v5.10.215
commit 493aa6bdcffd90a4f82aa614fe4f4db0641b4068
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5JW
CVE: CVE-2024-26950

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=493aa6bdcffd90a4f82aa614fe4f4db0641b4068



---------------------------

[ Upstream commit 71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f ]

The previous commit fixed a bug that led to a NULL peer->device being
dereferenced. It's actually easier and faster performance-wise to
instead get the device from ctx->wg. This semantically makes more sense
too, since ctx->wg->peer_allowedips.seq is compared with
ctx->allowedips_seq, basing them both in ctx. This also acts as a
defence in depth provision against freed peers.

Cc: stable@vger.kernel.org
Fixes: e7096c13 ("net: WireGuard secure network tunnel")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

parent 3a4c6550

drivers/net/wireguard/netlink.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -164,8 +164,8 @@ get_peer(struct wg_peer peer, struct sk_buff skb, struct dump_ctx *ctx)
		if (!allowedips_node)
		goto no_allowedips;
		if (!ctx->allowedips_seq)
		ctx->allowedips_seq = peer->device->peer_allowedips.seq;
		else if (ctx->allowedips_seq != peer->device->peer_allowedips.seq)
		ctx->allowedips_seq = ctx->wg->peer_allowedips.seq;
		else if (ctx->allowedips_seq != ctx->wg->peer_allowedips.seq)
		goto no_allowedips;

		allowedips_nest = nla_nest_start(skb, WGPEER_A_ALLOWEDIPS);