lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Dec 2019 11:59:28 -0800 (PST) From: David Miller <davem@...emloft.net> To: vladyslavt@...lanox.com Cc: netdev@...r.kernel.org Subject: Re: [PATCH] mqprio: Fix out-of-bounds access in mqprio_dump From: Vladyslav Tarasiuk <vladyslavt@...lanox.com> Date: Fri, 6 Dec 2019 13:51:05 +0000 > When user runs a command like > tc qdisc add dev eth1 root mqprio > KASAN stack-out-of-bounds warning is emitted. > Currently, NLA_ALIGN macro used in mqprio_dump provides too large > buffer size as argument for nla_put and memcpy down the call stack. > The flow looks like this: > 1. nla_put expects exact object size as an argument; > 2. Later it provides this size to memcpy; > 3. To calculate correct padding for SKB, nla_put applies NLA_ALIGN > macro itself. > > Therefore, NLA_ALIGN should not be applied to the nla_put parameter. > Otherwise it will lead to out-of-bounds memory access in memcpy. > > Fixes: 4e8b86c06269 ("mqprio: Introduce new hardware offload mode and shaper in mqprio") > Signed-off-by: Vladyslav Tarasiuk <vladyslavt@...lanox.com> Applied and queued up for -stable.
Powered by blists - more mailing lists