lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230220133601.562773440@linuxfoundation.org> Date: Mon, 20 Feb 2023 14:35:44 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: stable@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, patches@...ts.linux.dev, Jamal Hadi Salim <jhs@...atatu.com>, Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, Kees Cook <keescook@...omium.org>, Simon Horman <simon.horman@...igine.com>, Cong Wang <cong.wang@...edance.com>, Sasha Levin <sashal@...nel.org> Subject: [PATCH 6.1 028/118] net: sched: sch: Bounds check priority From: Kees Cook <keescook@...omium.org> [ Upstream commit de5ca4c3852f896cacac2bf259597aab5e17d9e3 ] Nothing was explicitly bounds checking the priority index used to access clpriop[]. WARN and bail out early if it's pathological. Seen with GCC 13: ../net/sched/sch_htb.c: In function 'htb_activate_prios': ../net/sched/sch_htb.c:437:44: warning: array subscript [0, 31] is outside array bounds of 'struct htb_prio[8]' [-Warray-bounds=] 437 | if (p->inner.clprio[prio].feed.rb_node) | ~~~~~~~~~~~~~~~^~~~~~ ../net/sched/sch_htb.c:131:41: note: while referencing 'clprio' 131 | struct htb_prio clprio[TC_HTB_NUMPRIO]; | ^~~~~~ Cc: Jamal Hadi Salim <jhs@...atatu.com> Cc: Cong Wang <xiyou.wangcong@...il.com> Cc: Jiri Pirko <jiri@...nulli.us> Cc: "David S. Miller" <davem@...emloft.net> Cc: Eric Dumazet <edumazet@...gle.com> Cc: Jakub Kicinski <kuba@...nel.org> Cc: Paolo Abeni <pabeni@...hat.com> Cc: netdev@...r.kernel.org Signed-off-by: Kees Cook <keescook@...omium.org> Reviewed-by: Simon Horman <simon.horman@...igine.com> Reviewed-by: Cong Wang <cong.wang@...edance.com> Link: https://lore.kernel.org/r/20230127224036.never.561-kees@kernel.org Signed-off-by: Paolo Abeni <pabeni@...hat.com> Signed-off-by: Sasha Levin <sashal@...nel.org> --- net/sched/sch_htb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 3afac9c21a763..14a202b5a3187 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -427,7 +427,10 @@ static void htb_activate_prios(struct htb_sched *q, struct htb_class *cl) while (cl->cmode == HTB_MAY_BORROW && p && mask) { m = mask; while (m) { - int prio = ffz(~m); + unsigned int prio = ffz(~m); + + if (WARN_ON_ONCE(prio > ARRAY_SIZE(p->inner.clprio))) + break; m &= ~(1 << prio); if (p->inner.clprio[prio].feed.rb_node) -- 2.39.0
Powered by blists - more mailing lists