| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aIPHD7Ktk8Q2kyrL@pop-os.localdomain>
Date: Fri, 25 Jul 2025 11:03:59 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Simon Horman <horms@...nel.org>
Cc: Maher Azzouzi <maherazz04@...il.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, jhs@...atatu.com, jiri@...nulli.us,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, Ferenc Fejes <fejes@....elte.hu>,
Vladimir Oltean <vladimir.oltean@....com>
Subject: Re: [PATCH net] net/sched: mqprio: fix stack out-of-bounds write in
tc entry parsing
On Wed, Jul 23, 2025 at 01:55:21PM +0100, Simon Horman wrote:
> + Ferenc and Vladimir
>
> On Tue, Jul 22, 2025 at 04:51:21PM +0100, Maher Azzouzi wrote:
> > From: MaherAzzouzi <maherazz04@...il.com>
>
> nit: space between your names please
>
> >
> > TCA_MQPRIO_TC_ENTRY_INDEX is validated using
> > NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value
> > TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in
> > the fp[] array, which only has room for 16 elements (0–15).
> >
> > Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.
> >
> > Fixes: f62af20bed2d ("net/sched: mqprio: allow per-TC user input of FP adminStatus")
> > Reported-by: Maher Azzouzi <maherazz04@...il.com>
>
> I don't think there is any need to include a Reported-by tag if
> you are also the patch author.
+1
>
> > Signed-off-by: Maher Azzouzi <maherazz04@...il.com>
>
> I agree with your analysis and that this is a good fix.
>
> Reviewed-by: Simon Horman <horms@...nel.org>
Reviewed-by: Cong Wang <xiyou.wangcong@...il.com>
Thanks for the patch.
Powered by blists - more mailing lists