| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZfA4U0itpWSjsALX@localhost.localdomain>
Date: Tue, 12 Mar 2024 12:11:15 +0100
From: Michal Kubiak <michal.kubiak@...el.com>
To: Eric Dumazet <edumazet@...gle.com>
CC: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski
<kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, <netdev@...r.kernel.org>,
<eric.dumazet@...il.com>,
<syzbot+a340daa06412d6028918@...kaller.appspotmail.com>, Vladimir Oltean
<vladimir.oltean@....com>
Subject: Re: [PATCH net] net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX
check
On Mon, Mar 11, 2024 at 08:46:28PM +0000, Eric Dumazet wrote:
> taprio_parse_tc_entry() is not correctly checking
> TCA_TAPRIO_TC_ENTRY_INDEX attribute:
>
> int tc; // Signed value
>
> tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);
> if (tc >= TC_QOPT_MAX_QUEUE) {
> NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range");
> return -ERANGE;
> }
>
> syzbot reported that it could fed arbitary negative values:
nitpick: arbitary -> arbitrary (checkpatch)
>
> UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18
> shift exponent -2147418108 is negative
> CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
> ubsan_epilogue lib/ubsan.c:217 [inline]
> __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386
> taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]
> taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]
> taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877
> taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134
> qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355
> tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776
> rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617
> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
> netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
> netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg+0x221/0x270 net/socket.c:745
> ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
> ___sys_sendmsg net/socket.c:2638 [inline]
> __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
> do_syscall_64+0xf9/0x240
> entry_SYSCALL_64_after_hwframe+0x6f/0x77
> RIP: 0033:0x7f1b2dea3759
> Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759
> RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004
> RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000
> R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340
> R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340
>
> Fixes: a54fc09e4cba ("net/sched: taprio: allow user input of per-tc max SDU")
> Reported-and-tested-by: syzbot+a340daa06412d6028918@...kaller.appspotmail.com
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Vladimir Oltean <vladimir.oltean@....com>
> ---
> net/sched/sch_taprio.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
> index 31a8252bd09c9111090f0147df6deb0ad81577af..ad99409c6325e179319f8ec4053582417a978817 100644
> --- a/net/sched/sch_taprio.c
> +++ b/net/sched/sch_taprio.c
> @@ -1008,7 +1008,8 @@ static const struct nla_policy entry_policy[TCA_TAPRIO_SCHED_ENTRY_MAX + 1] = {
> };
>
> static const struct nla_policy taprio_tc_policy[TCA_TAPRIO_TC_ENTRY_MAX + 1] = {
> - [TCA_TAPRIO_TC_ENTRY_INDEX] = { .type = NLA_U32 },
> + [TCA_TAPRIO_TC_ENTRY_INDEX] = NLA_POLICY_MAX(NLA_U32,
> + TC_QOPT_MAX_QUEUE),
> [TCA_TAPRIO_TC_ENTRY_MAX_SDU] = { .type = NLA_U32 },
> [TCA_TAPRIO_TC_ENTRY_FP] = NLA_POLICY_RANGE(NLA_U32,
> TC_FP_EXPRESS,
> --
> 2.44.0.278.ge034bb2e1d-goog
>
>
Looks OK to me. Please just review the checkpatch warnings.
Thanks,
Reviewed-by: Michal Kubiak <michal.kubiak@...el.com>
Powered by blists - more mailing lists