| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Jun 2024 22:11:39 +0300
From: Vladimir Oltean <vladimir.oltean@....com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Jamal Hadi Salim <jhs@...atatu.com>,
Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>,
netdev@...r.kernel.org, eric.dumazet@...il.com,
Noam Rathaus <noamr@...-disclosure.com>,
Vinicius Costa Gomes <vinicius.gomes@...el.com>
Subject: Re: [PATCH net] net/sched: taprio: always validate
TCA_TAPRIO_ATTR_PRIOMAP
On Tue, Jun 04, 2024 at 06:15:11PM +0000, Eric Dumazet wrote:
> If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,
> taprio_parse_mqprio_opt() must validate it, or userspace
> can inject arbitrary data to the kernel, the second time
> taprio_change() is called.
>
> First call (with valid attributes) sets dev->num_tc
> to a non zero value.
>
> Second call (with arbitrary mqprio attributes)
> returns early from taprio_parse_mqprio_opt()
> and bad things can happen.
>
> Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
> Reported-by: Noam Rathaus <noamr@...-disclosure.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Vinicius Costa Gomes <vinicius.gomes@...el.com>
> Cc: Vladimir Oltean <vladimir.oltean@....com>
> ---
> net/sched/sch_taprio.c | 15 ++++++---------
> 1 file changed, 6 insertions(+), 9 deletions(-)
>
> diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
> index 937a0c513c17..b284a06b5a75 100644
> --- a/net/sched/sch_taprio.c
> +++ b/net/sched/sch_taprio.c
> @@ -1176,16 +1176,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev,
> {
> bool allow_overlapping_txqs = TXTIME_ASSIST_IS_ENABLED(taprio_flags);
>
> - if (!qopt && !dev->num_tc) {
> - NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary");
> - return -EINVAL;
> - }
> -
> - /* If num_tc is already set, it means that the user already
> - * configured the mqprio part
> - */
> - if (dev->num_tc)
> + if (!qopt) {
> + if (!dev->num_tc) {
> + NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary");
> + return -EINVAL;
> + }
> return 0;
> + }
>
> /* taprio imposes that traffic classes map 1:n to tx queues */
> if (qopt->num_tc > dev->num_tx_queues) {
> --
> 2.45.2.505.gda0bf45e8d-goog
>
Correct, the mqprio qopt structure should be validated whenever passed,
not just if dev->num_tc == 0.
But... what bad things can happen?
Whenever I try to trick the kernel into doing something with the second
mqprio, I get:
"Changing the traffic mapping of a running schedule is not supported."
Powered by blists - more mailing lists