mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net
History
Pedro Tammela 70feebdbfa net/sched: sch_qfq: account for stab overhead in qfq_enqueue 
[ Upstream commit 3e337087c3 ]

Lion says:
-------
In the QFQ scheduler a similar issue to CVE-2023-31436
persists.

Consider the following code in net/sched/sch_qfq.c:

static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                struct sk_buff **to_free)
{
     unsigned int len = qdisc_pkt_len(skb), gso_segs;

    // ...

     if (unlikely(cl->agg->lmax < len)) {
         pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
              cl->agg->lmax, len, cl->common.classid);
         err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
         if (err) {
             cl->qstats.drops++;
             return qdisc_drop(skb, sch, to_free);
         }

    // ...

     }

Similarly to CVE-2023-31436, "lmax" is increased without any bounds
checks according to the packet length "len". Usually this would not
impose a problem because packet sizes are naturally limited.

This is however not the actual packet length, rather the
"qdisc_pkt_len(skb)" which might apply size transformations according to
"struct qdisc_size_table" as created by "qdisc_get_stab()" in
net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc.

A user may choose virtually any size using such a table.

As a result the same issue as in CVE-2023-31436 can occur, allowing heap
out-of-bounds read / writes in the kmalloc-8192 cache.
-------

We can create the issue with the following commands:

tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \
overhead 999999999 linklayer ethernet qfq
tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k
tc filter add dev $DEV parent 1: matchall classid 1:1
ping -I $DEV 1.1.1.2

This is caused by incorrectly assuming that qdisc_pkt_len() returns a
length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX.

Fixes: 462dbc9101 ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Reported-by: Lion <nnamrec@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-07-23 13:49:27 +02:00
..
6lowpan
9p 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition 2023-04-20 12:35:08 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:33:02 +01:00
8021q vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 2023-05-24 17:32:47 +01:00
appletalk
atm atm: hide unused procfs functions 2023-06-09 10:34:16 +02:00
ax25 ax25: move from strlcpy with unused retval to strscpy 2022-08-22 17:55:50 -07:00
batman-adv batman-adv: Broken sync while rescheduling delayed work 2023-06-14 11:15:23 +02:00
bluetooth Bluetooth: MGMT: Fix marking SCAN_RSP as not connectable 2023-07-19 16:22:02 +02:00
bpf Revert "bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES" 2023-03-17 08:50:32 +01:00
bpfilter
bridge net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode 2023-07-19 16:22:04 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:50:24 +01:00
can can: isotp: isotp_sendmsg(): fix return error fix on TX path 2023-07-01 13:16:23 +02:00
ceph use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
core net: prevent skb corruption on frag list segmentation 2023-07-23 13:49:23 +02:00
dcb
dccp netfilter: keep conntrack reference until IPsecv6 policy checks are done 2023-05-11 23:03:18 +09:00
dns_resolver
dsa net: dsa: sja1105: always enable the send_meta options 2023-07-19 16:22:06 +02:00
ethernet net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
ethtool ethtool: Fix uninitialized number of lanes 2023-05-17 11:53:37 +02:00
hsr hsr: ratelimit only when errors are printed 2023-04-06 12:10:58 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife
ipv4 tcp: annotate data races in __tcp_oow_rate_limited() 2023-07-19 16:22:05 +02:00
ipv6 ipv6/addrconf: fix a potential refcount underflow for idev 2023-07-23 13:49:24 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:33:50 +01:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-15 12:42:26 +01:00
key af_key: Reject optional tunnel/BEET mode templates in outbound policies 2023-05-24 17:32:43 +01:00
l2tp inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). 2023-04-26 14:28:43 +02:00
l3mdev
lapb
llc net: deal with most data-races in sk_wait_event() 2023-05-24 17:32:32 +01:00
mac80211 wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam 2023-07-19 16:21:09 +02:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-05 09:53:08 +01:00
mctp net: mctp: purge receive queues on sk destruction 2023-02-06 08:06:34 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:59:53 +01:00
mptcp mptcp: ensure listener is unhashed before updating the sk status 2023-07-01 13:16:22 +02:00
ncsi net/ncsi: clear Tx enable mode when handling a Config required AEN 2023-05-17 11:53:32 +02:00
netfilter netfilter: nf_tables: prevent OOB access in nft_byteorder_eval 2023-07-19 16:22:17 +02:00
netlabel genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-19 16:21:13 +02:00
netrom netrom: fix info-leak in nr_write_internal() 2023-06-09 10:34:01 +02:00
nfc net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-19 16:21:13 +02:00
nsh net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-24 17:32:45 +01:00
openvswitch net: openvswitch: fix race on port output 2023-04-20 12:35:09 +02:00
packet af_packet: do not use READ_ONCE() in packet_bind() 2023-06-09 10:34:02 +02:00
phonet
psample genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-20 12:35:09 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-10 09:33:02 +01:00
rfkill
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:59:42 +01:00
rxrpc rxrpc: Fix hard call timeout units 2023-05-17 11:53:35 +02:00
sched net/sched: sch_qfq: account for stab overhead in qfq_enqueue 2023-07-23 13:49:27 +02:00
sctp sctp: fix potential deadlock on &net->sctp.addr_wq_lock 2023-07-19 16:22:00 +02:00
smc net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT 2023-06-14 11:15:17 +02:00
strparser
sunrpc SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 2023-07-19 16:21:48 +02:00
switchdev
tipc net: tipc: resize nlattr array to correct size 2023-06-21 16:01:02 +02:00
tls tls: rx: strp: don't use GFP_KERNEL in softirq context 2023-06-09 10:34:29 +02:00
unix bpf, sockmap: Pass skb ownership through read_skb 2023-06-05 09:26:18 +02:00
vmw_vsock vsock: avoid to close connected socket after the timeout 2023-05-24 17:32:44 +01:00
wireless wifi: cfg80211: fix regulatory disconnect for non-MLO 2023-07-19 16:22:09 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-02-09 11:28:13 +01:00
xdp xsk: Honor SO_BINDTODEVICE on bind 2023-07-19 16:22:05 +02:00
xfrm xfrm: Ensure policies always checked on XFRM-I input path 2023-06-28 11:12:28 +02:00
Kconfig Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
compat.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
devres.c
socket.c net: annotate sk->sk_err write from do_recvmmsg() 2023-05-24 17:32:32 +01:00
sysctl_net.c