mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net/sched
History
Cong Wang 4d5d13eac3 net_sched: reject TCF_EM_SIMPLE case for complex ematch module 
[ Upstream commit 9cd3fd2054 ]

When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
for ematch implementation:

https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/

"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
set will simply result in allocating & copy. It's an optimization,
nothing more."

So if an ematch module provides ops->datalen that means it wants a
complex data structure (saved in its em->data) instead of a simple u32
value. We should simply reject such a combination, otherwise this u32
could be misinterpreted as a pointer.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@linaro.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-01-07 12:07:30 +01:00
..
Kconfig
Makefile
act_api.c net: avoid potential infinite loop in tc_ctl_action() 2019-10-29 09:15:12 +01:00
act_bpf.c net/sched: fix NULL dereference in the error path of tcf_bpf_init() 2018-04-13 19:48:33 +02:00
act_connmark.c act_connmark: avoid crashing on malformed nlattrs with null parms 2017-03-22 12:43:34 +01:00
act_csum.c sched: act_csum: don't mangle TCP and UDP GSO packets 2018-03-22 09:17:42 +01:00
act_gact.c net/sched: Fix update of lastuse in act modules implementing stats_update 2018-01-17 09:38:54 +01:00
act_ife.c ife: error out when nla attributes are empty 2019-08-11 12:22:18 +02:00
act_ipt.c net: sched: fix NULL pointer dereference when action calls some targets 2017-08-30 10:21:42 +02:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c act_mirred: Fix mirred_init_module error handling 2020-01-29 10:24:33 +01:00
act_nat.c
act_pedit.c net/sched: act_pedit: fix WARN() in the traffic path 2019-11-28 18:28:04 +01:00
act_police.c
act_simple.c net/sched: act_simple: fix parsing of TCA_DEF_DATA 2018-06-26 08:08:06 +08:00
act_skbedit.c
act_skbmod.c net/sched: fix NULL dereference on the error path of tcf_skbmod_init() 2018-04-13 19:48:35 +02:00
act_tunnel_key.c net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used 2018-08-24 13:12:37 +02:00
act_vlan.c
cls_api.c net: sched: prevent UAF on tc_ctl_tfilter when temporarily dropping rtnl_lock 2022-05-12 12:14:58 +02:00
cls_basic.c net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_bpf.c net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_cgroup.c net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_flow.c net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
cls_flower.c net/sched: cls_flower: Use mask for addr_type 2021-09-22 11:42:56 +02:00
cls_fw.c
cls_matchall.c net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS 2020-02-28 15:42:44 +01:00
cls_route.c net_sched: cls_route: disallow handle of 0 2022-08-25 11:09:28 +02:00
cls_rsvp.c
cls_rsvp.h cls_rsvp: fix rsvp_policy 2020-02-14 16:30:58 -05:00
cls_rsvp6.c
cls_tcindex.c net: sched: fix warning in tcindex_alloc_perfect_hash 2021-07-20 16:21:03 +02:00
cls_u32.c net: sched: Fix memory exposure from short TCA_U32_SEL 2018-09-15 09:42:55 +02:00
em_canid.c
em_cmp.c
em_ipset.c
em_meta.c
em_nbyte.c
em_text.c
em_u32.c
ematch.c net_sched: reject TCF_EM_SIMPLE case for complex ematch module 2023-01-07 12:07:30 +01:00
sch_api.c net: sched: avoid duplicates in classes dump 2021-03-17 16:10:14 +01:00
sch_atm.c
sch_blackhole.c net_sched: blackhole: tell upper qdisc about dropped packets 2018-07-22 14:27:36 +02:00
sch_cbq.c sch_cbq: validate TCA_CBQ_WRROPT to avoid crash 2019-10-07 18:53:24 +02:00
sch_choke.c net: sched: validate stab values 2021-03-30 14:41:42 +02:00
sch_codel.c net: sched: Fix a possible null-pointer dereference in dequeue_func() 2019-08-11 12:22:17 +02:00
sch_drr.c
sch_dsmark.c sch_dsmark: fix a NULL deref in qdisc_reset() 2021-06-03 08:23:33 +02:00
sch_fifo.c net_sched: fix NULL deref in fifo_set_limit() 2021-10-17 10:05:39 +02:00
sch_fq.c net: fq: add missing attribute validation for orphan mask 2020-03-20 09:07:40 +01:00
sch_fq_codel.c fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks 2020-05-20 08:15:24 +02:00
sch_generic.c net_sched: restore "mpu xxx" handling 2022-01-27 08:47:42 +01:00
sch_gred.c net: sched: validate stab values 2021-03-30 14:41:42 +02:00
sch_hfsc.c
sch_hhf.c net/flow_dissector: switch to siphash 2019-11-10 11:23:31 +01:00
sch_htb.c sch_htb: fix crash on init failure 2018-09-15 09:43:02 +02:00
sch_ingress.c
sch_mq.c net: sched: fix `tc -s class show` no bstats on class with nolock subqueues 2019-12-05 15:35:30 +01:00
sch_mqprio.c net: sched: fix `tc -s class show` no bstats on class with nolock subqueues 2019-12-05 15:35:30 +01:00
sch_multiq.c net: sched: fix `tc -s class show` no bstats on class with nolock subqueues 2019-12-05 15:35:30 +01:00
sch_netem.c net: netem: correct the parent's backlog when corrupted packet was dropped 2020-01-29 10:24:34 +01:00
sch_pie.c
sch_plug.c
sch_prio.c net: sch_prio: When ungrafting, replace with FIFO 2020-01-12 11:24:27 +01:00
sch_qfq.c sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc 2022-01-11 13:38:12 +01:00
sch_red.c net: sched: Fix use after free in red_enqueue() 2022-11-10 15:46:05 +01:00
sch_sfb.c sch_sfb: Also store skb len before calling child enqueue 2022-09-15 12:39:46 +02:00
sch_sfq.c net: sched: validate stab values 2021-03-30 14:41:42 +02:00
sch_tbf.c net: create skb_gso_validate_mac_len() 2019-02-20 10:18:28 +01:00
sch_teql.c net: sched: sch_teql: fix null-pointer dereference 2021-04-16 11:59:07 +02:00