| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89i+-LreZWpQpiNfNBLWN_in58MEtegKz-qqDk64h2i45LQ@mail.gmail.com>
Date: Fri, 10 Jan 2025 17:24:16 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Jamal Hadi Salim <jhs@...atatu.com>
Cc: netdev@...r.kernel.org, jiri@...nulli.us, xiyou.wangcong@...il.com,
davem@...emloft.net, kuba@...nel.org, petrm@...lanox.com, security@...nel.org
Subject: Re: [PATCH net 1/1] net: sched: fix ets qdisc OOB Indexing
On Fri, Jan 10, 2025 at 4:35 PM Jamal Hadi Salim <jhs@...atatu.com> wrote:
>
> Haowei Yan <g1042620637@...il.com> found that ets_class_from_arg() can
> index an Out-Of-Bound class in ets_class_from_arg() when passed clid of
> 0. The overflow may cause local privilege escalation.
>
> [ 18.852298] ------------[ cut here ]------------
> [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20
> [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]'
> [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17
> [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
> Reported-by: Haowei Yan <g1042620637@...il.com>
> Suggested-by: Haowei Yan <g1042620637@...il.com>
> Signed-off-by: Jamal Hadi Salim <jhs@...atatu.com>
> ---
> net/sched/sch_ets.c | 2 ++
> 1 file changed, 2 insertions(+)
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists