| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230101215744.709178-1-jhs@mojatatu.com>
Date: Sun, 1 Jan 2023 16:57:42 -0500
From: Jamal Hadi Salim <jhs@...atatu.com>
To: davem@...emloft.net, kuba@...nel.org, edumazet@...gle.com,
pabeni@...hat.com
Cc: xiyou.wangcong@...il.com, jiri@...nulli.us, netdev@...r.kernel.org,
zengyhkyle@...il.com, Jamal Hadi Salim <jhs@...atatu.com>
Subject: [PATCH net 0/2] dont intepret cls results when asked to drop
It is possible that an error in processing may occur in tcf_classify() which
will result in res.classid being some garbage value. Example of such a code path
is when the classifier goes into a loop due to bad policy. See patch 1/2
for a sample splat.
While the core code reacts correctly and asks the caller to drop the packet
(by returning TC_ACT_SHOT) some callers first intepret the res.class as
a pointer to memory and end up dropping the packet only after some activity with
the pointer. There is likelihood of this resulting in an exploit. So lets fix
all the known qdiscs that behave this way.
Jamal Hadi Salim (2):
net: sched: atm: dont intepret cls results when asked to drop
net: sched: cbq: dont intepret cls results when asked to drop
net/sched/sch_atm.c | 5 ++++-
net/sched/sch_cbq.c | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
--
2.34.1
Powered by blists - more mailing lists