mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 06:33:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/sched
History
Lin Ma 18d78c5552 net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX 
[ Upstream commit 30c45b5361 ]

The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and
one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is
smaller than the intended sizeof(struct tc_pedit). Hence, the
dereference in tcf_pedit_init() could access dirty heap data.

static int tcf_pedit_init(...)
{
  // ...
  pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included
  if (!pattr)
    pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not

  // ...
  parm = nla_data(pattr);

  index = parm->index; // parm is able to be smaller than 4 bytes
                       // and this dereference gets dirty skb_buff
                       // data created in netlink_sendmsg
}

This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid
the above case, just like the TCA_PEDIT_PARMS.

Fixes: 71d0ed7079 ("net/act_pedit: Support using offset relative to the conventional network headers")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-07-19 16:22:05 +02:00
..
act_api.c net/sched: act_api: add specific EXT_WARN_MSG for tc action 2023-06-21 16:01:02 +02:00
act_bpf.c net: sched: act_bpf: simplify code logic in tcf_bpf_init() 2022-09-28 09:38:56 +01:00
act_connmark.c netfilter: conntrack: Fix data-races around ct mark 2022-11-18 15:21:00 +01:00
act_csum.c
act_ct.c netfilter: conntrack: Fix data-races around ct mark 2022-11-18 15:21:00 +01:00
act_ctinfo.c net/sched: act_ctinfo: use percpu stats 2023-02-22 12:59:52 +01:00
act_gact.c treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
act_gate.c
act_ife.c
act_ipt.c net/sched: act_ipt: add sanity checks on skb before calling target 2023-07-19 16:22:01 +02:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net/sched: act_mirred: Add carrier check 2023-05-17 11:53:34 +02:00
act_mpls.c net/sched: act_mpls: fix action bind logic 2023-03-11 13:55:28 +01:00
act_nat.c
act_pedit.c net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX 2023-07-19 16:22:05 +02:00
act_police.c net: sched: act_police: fix sparse errors in tcf_police_dump() 2023-06-14 11:15:21 +02:00
act_sample.c net/sched: act_sample: fix action bind logic 2023-03-11 13:55:28 +01:00
act_simple.c
act_skbedit.c
act_skbmod.c
act_tunnel_key.c
act_vlan.c
cls_api.c net/sched: cls_api: Fix lockup on flushing explicitly created chain 2023-06-21 16:01:01 +02:00
cls_basic.c net: sched: use tc_cls_bind_class() in filter 2022-10-02 16:07:17 +01:00
cls_bpf.c net: sched: use tc_cls_bind_class() in filter 2022-10-02 16:07:17 +01:00
cls_cgroup.c
cls_flow.c
cls_flower.c net/sched: flower: fix possible OOB write in fl_set_geneve_opt() 2023-06-09 10:34:04 +02:00
cls_fw.c net: sched: use tc_cls_bind_class() in filter 2022-10-02 16:07:17 +01:00
cls_matchall.c net: sched: use tc_cls_bind_class() in filter 2022-10-02 16:07:17 +01:00
cls_route.c net: sched: use tc_cls_bind_class() in filter 2022-10-02 16:07:17 +01:00
cls_rsvp.c
cls_rsvp.h net: sched: use tc_cls_bind_class() in filter 2022-10-02 16:07:17 +01:00
cls_rsvp6.c
cls_u32.c net/sched: cls_u32: Fix reference counter leak leading to overflow 2023-06-21 16:00:59 +02:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c
em_nbyte.c
em_text.c
em_u32.c
ematch.c net_sched: reject TCF_EM_SIMPLE case for complex ematch module 2022-12-31 13:32:55 +01:00
Kconfig net/sched: Retire tcindex classifier 2023-03-11 13:55:16 +01:00
Makefile net/sched: Retire tcindex classifier 2023-03-11 13:55:16 +01:00
sch_api.c net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting 2023-06-21 16:01:01 +02:00
sch_atm.c net: sched: atm: dont intepret cls results when asked to drop 2023-01-12 12:02:24 +01:00
sch_blackhole.c
sch_cake.c Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
sch_cbq.c net: sched: cbq: dont intepret cls results when asked to drop 2023-01-12 12:02:24 +01:00
sch_cbs.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_choke.c
sch_codel.c
sch_drr.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_dsmark.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_etf.c
sch_ets.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_fifo.c
sch_fq.c net/sched: sch_fq: fix integer overflow of "credit" 2023-05-11 23:03:26 +09:00
sch_fq_codel.c Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()" 2022-10-19 13:47:09 +01:00
sch_fq_pie.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00
sch_frag.c
sch_generic.c net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting 2023-06-21 16:01:01 +02:00
sch_gred.c net: sched: gred: prevent races when adding offloads to stats 2023-02-01 08:34:25 +01:00
sch_hfsc.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_hhf.c
sch_htb.c net: sched: sch: Fix off by one in htb_activate_prios() 2023-02-22 12:59:56 +01:00
sch_ingress.c net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs 2023-06-09 10:34:03 +02:00
sch_mq.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00
sch_mqprio.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00
sch_multiq.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_netem.c sch_netem: acquire qdisc lock in netem_change() 2023-06-28 11:12:34 +02:00
sch_pie.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00
sch_plug.c
sch_prio.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_qfq.c net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg 2023-04-26 14:28:32 +02:00
sch_red.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00
sch_sfb.c Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
sch_sfq.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00
sch_skbprio.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_taprio.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00
sch_tbf.c net/sched: use tc_qdisc_stats_dump() in qdisc 2022-09-22 17:34:10 -07:00
sch_teql.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-14 11:15:21 +02:00