lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sun,  1 Jan 2023 16:57:42 -0500
From:   Jamal Hadi Salim <jhs@...atatu.com>
To:     davem@...emloft.net, kuba@...nel.org, edumazet@...gle.com,
        pabeni@...hat.com
Cc:     xiyou.wangcong@...il.com, jiri@...nulli.us, netdev@...r.kernel.org,
        zengyhkyle@...il.com, Jamal Hadi Salim <jhs@...atatu.com>
Subject: [PATCH net 0/2] dont intepret cls results when asked to drop

It is possible that an error in processing may occur in tcf_classify() which
will result in res.classid being some garbage value. Example of such a code path
is when the classifier goes into a loop due to bad policy. See patch 1/2
for a sample splat.
While the core code reacts correctly and asks the caller to drop the packet
(by returning TC_ACT_SHOT) some callers first intepret the res.class as
a pointer to memory and end up dropping the packet only after some activity with
the pointer. There is likelihood of this resulting in an exploit. So lets fix
all the known qdiscs that behave this way.

Jamal Hadi Salim (2):
  net: sched: atm: dont intepret cls results when asked to drop
  net: sched: cbq: dont intepret cls results when asked to drop

 net/sched/sch_atm.c | 5 ++++-
 net/sched/sch_cbq.c | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

-- 
2.34.1

Powered by blists - more mailing lists