| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250723125521.GA2459@horms.kernel.org>
Date: Wed, 23 Jul 2025 13:55:21 +0100
From: Simon Horman <horms@...nel.org>
To: Maher Azzouzi <maherazz04@...il.com>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, jhs@...atatu.com,
xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
Ferenc Fejes <fejes@....elte.hu>,
Vladimir Oltean <vladimir.oltean@....com>
Subject: Re: [PATCH net] net/sched: mqprio: fix stack out-of-bounds write in
tc entry parsing
+ Ferenc and Vladimir
On Tue, Jul 22, 2025 at 04:51:21PM +0100, Maher Azzouzi wrote:
> From: MaherAzzouzi <maherazz04@...il.com>
nit: space between your names please
>
> TCA_MQPRIO_TC_ENTRY_INDEX is validated using
> NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value
> TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in
> the fp[] array, which only has room for 16 elements (0–15).
>
> Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.
>
> Fixes: f62af20bed2d ("net/sched: mqprio: allow per-TC user input of FP adminStatus")
> Reported-by: Maher Azzouzi <maherazz04@...il.com>
I don't think there is any need to include a Reported-by tag if
you are also the patch author.
> Signed-off-by: Maher Azzouzi <maherazz04@...il.com>
I agree with your analysis and that this is a good fix.
Reviewed-by: Simon Horman <horms@...nel.org>
I do think it is misleading to name this #define MAX,
but it's part of the UAPI so that ship has sailed.
It seems that taprio has a similar problem, but that it is
not a bug due to an additional check. I wonder if something
like this for net-next is appropriate to align it's implementation
wit that of maprio.
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 2b14c81a87e5..e759e43ad27e 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -998,7 +998,7 @@ static const struct nla_policy entry_policy[TCA_TAPRIO_SCHED_ENTRY_MAX + 1] = {
static const struct nla_policy taprio_tc_policy[TCA_TAPRIO_TC_ENTRY_MAX + 1] = {
[TCA_TAPRIO_TC_ENTRY_INDEX] = NLA_POLICY_MAX(NLA_U32,
- TC_QOPT_MAX_QUEUE),
+ TC_QOPT_MAX_QUEUE - 1),
[TCA_TAPRIO_TC_ENTRY_MAX_SDU] = { .type = NLA_U32 },
[TCA_TAPRIO_TC_ENTRY_FP] = NLA_POLICY_RANGE(NLA_U32,
TC_FP_EXPRESS,
@@ -1698,19 +1698,15 @@ static int taprio_parse_tc_entry(struct Qdisc *sch,
if (err < 0)
return err;
- if (!tb[TCA_TAPRIO_TC_ENTRY_INDEX]) {
+ if (NL_REQ_ATTR_CHECK(extack, opt, tb, TCA_TAPRIO_TC_ENTRY_INDEX)) {
NL_SET_ERR_MSG_MOD(extack, "TC entry index missing");
return -EINVAL;
}
tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);
- if (tc >= TC_QOPT_MAX_QUEUE) {
- NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range");
- return -ERANGE;
- }
-
if (*seen_tcs & BIT(tc)) {
- NL_SET_ERR_MSG_MOD(extack, "Duplicate TC entry");
+ NL_SET_ERR_MSG_ATTR(extack, tb[TCA_TAPRIO_TC_ENTRY_INDEX],
+ "Duplicate tc entry");
return -EINVAL;
}
> ---
> net/sched/sch_mqprio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c
> index 51d4013b6121..f3e5ef9a9592 100644
> --- a/net/sched/sch_mqprio.c
> +++ b/net/sched/sch_mqprio.c
> @@ -152,7 +152,7 @@ static int mqprio_parse_opt(struct net_device *dev, struct tc_mqprio_qopt *qopt,
> static const struct
> nla_policy mqprio_tc_entry_policy[TCA_MQPRIO_TC_ENTRY_MAX + 1] = {
> [TCA_MQPRIO_TC_ENTRY_INDEX] = NLA_POLICY_MAX(NLA_U32,
> - TC_QOPT_MAX_QUEUE),
> + TC_QOPT_MAX_QUEUE - 1),
> [TCA_MQPRIO_TC_ENTRY_FP] = NLA_POLICY_RANGE(NLA_U32,
> TC_FP_EXPRESS,
> TC_FP_PREEMPTIBLE),
> --
> 2.34.1
>
Powered by blists - more mailing lists