| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Aug 2021 09:44:41 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: tcs.kernel@...il.com, vinicius.gomes@...el.com, jhs@...atatu.com,
xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net,
kuba@...nel.org, netdev@...r.kernel.org
Cc: Haimin Zhang <tcs_kernel@...cent.com>
Subject: Re: [PATCH] net:sched fix array-index-out-of-bounds in taprio_change
On 8/11/21 7:10 AM, tcs.kernel@...il.com wrote:
> From: Haimin Zhang <tcs_kernel@...cent.com>
>
> syzbot report an array-index-out-of-bounds in taprio_change
> index 16 is out of range for type '__u16 [16]'
> that's because mqprio->num_tc is lager than TC_MAX_QUEUE,so we check
> the return value of netdev_set_num_tc.
>
> Reported-by: syzbot+2b3e5fb6c7ef285a94f6@...kaller.appspotmail.com
> Signed-off-by: Haimin Zhang <tcs_kernel@...cent.com>
> ---
> net/sched/sch_taprio.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
> index 9c79374..1ab2fc9 100644
> --- a/net/sched/sch_taprio.c
> +++ b/net/sched/sch_taprio.c
> @@ -1513,7 +1513,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
> taprio_set_picos_per_byte(dev, q);
>
> if (mqprio) {
> - netdev_set_num_tc(dev, mqprio->num_tc);
> + err = netdev_set_num_tc(dev, mqprio->num_tc);
> + if (err)
> + goto free_sched;
> for (i = 0; i < mqprio->num_tc; i++)
> netdev_set_tc_queue(dev, i,
> mqprio->count[i],
>
When was the bug added ?
Hint: Please provide a Fixes: tag
taprio_parse_mqprio_opt() already checks :
/* Verify num_tc is not out of max range */
if (qopt->num_tc > TC_MAX_QUEUE) {
NL_SET_ERR_MSG(extack, "Number of traffic classes is outside valid range");
return -EINVAL;
}
So what is happening exactly ?
Powered by blists - more mailing lists