rxrpc: Fix delayed ACKs to not set the reference serial number

Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference. Fixes: 17926a7932 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: "David S. Miller" <davem@davemloft.net> cc: Eric Dumazet <edumazet@google.com> cc: Jakub Kicinski <kuba@kernel.org> cc: Paolo Abeni <pabeni@redhat.com> cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> (backported from e7870cf13d20f56bfc19f9c3e89707c69cf104ef) [mpellizzer: removed the "ackr_serial" field from the struct "rxrpc_call" and adjusted the code accordingly] CVE-2024-26677 Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Acked-by: Manuel Diewald <manuel.diewald@canonical.com> Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com> Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
2024-08-06 17:01:40 +02:00 · 2024-08-06 17:01:40 +02:00 · fe5cf97d43
parent 5ecacd52d9
commit fe5cf97d43
3 changed files with 1 additions and 4 deletions
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@ -667,7 +667,6 @@ struct rxrpc_call {

 	/* Receive-phase ACK management (ACKs we send). */
 	u8			ackr_reason;	/* reason to ACK */
-	rxrpc_serial_t		ackr_serial;	/* serial of packet being ACK'd */
 	rxrpc_seq_t		ackr_highest_seq; /* Higest sequence number received */
 	atomic_t		ackr_nr_unacked; /* Number of unacked packets */
 	atomic_t		ackr_nr_consumed; /* Number of packets needing hard ACK */
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@ -67,13 +67,11 @@ static void __rxrpc_propose_ACK(struct rxrpc_call *call, u8 ack_reason,
 	if (ack_reason == call->ackr_reason) {
 		if (RXRPC_ACK_UPDATEABLE & (1 << ack_reason)) {
 			outcome = rxrpc_propose_ack_update;
-			call->ackr_serial = serial;
 		}
 		if (!immediate)
 			goto trace;
 	} else if (prior > rxrpc_ack_priority[call->ackr_reason]) {
 		call->ackr_reason = ack_reason;
-		call->ackr_serial = serial;
 	} else {
 		outcome = rxrpc_propose_ack_subsume;
 	}
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@ -87,7 +87,7 @@ static size_t rxrpc_fill_out_ack(struct rxrpc_connection *conn,
 		return 0;

 	/* Barrier against rxrpc_input_data(). */
-	serial = call->ackr_serial;
+	serial = 0;
 	hard_ack = READ_ONCE(call->rx_hard_ack);
 	top = smp_load_acquire(&call->rx_top);
 	*_hard_ack = hard_ack;