lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250111130154.6fddde00@kernel.org>
Date: Sat, 11 Jan 2025 13:01:54 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Jamal Hadi Salim <jhs@...atatu.com>
Cc: netdev@...r.kernel.org, jiri@...nulli.us, xiyou.wangcong@...il.com,
 davem@...emloft.net, edumazet@...gle.com, petrm@...lanox.com,
 security@...nel.org, g1042620637@...il.com
Subject: Re: [PATCH net v4 1/1] net: sched: fix ets qdisc OOB Indexing

On Sat, 11 Jan 2025 09:57:39 -0500 Jamal Hadi Salim wrote:
> Haowei Yan <g1042620637@...il.com> found that ets_class_from_arg() can
> index an Out-Of-Bound class in ets_class_from_arg() when passed clid of
> 0. The overflow may cause local privilege escalation.

Code is identical to v1 here...

While fixing the code, could you also trim the stack trace?
Like this:

   UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20
   index 18446744073709551615 is out of range for type 'ets_class [16]'
   CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17
   Call Trace:
    <TASK>
    ets_class_change+0x3d6/0x3f0
    tc_ctl_tclass+0x251/0x910
    rtnetlink_rcv_msg+0x170/0x6f0
    netlink_rcv_skb+0x59/0x110
    rtnetlink_rcv+0x15/0x30
    netlink_unicast+0x1c3/0x2b0
    netlink_sendmsg+0x239/0x4b0
    ____sys_sendmsg+0x3e2/0x410
    ___sys_sendmsg+0x88/0xe0
    __sys_sendmsg+0x69/0xd0

the rest has no value.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ