| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM0EoMkRqod-MsMb60krtZ38SszwTR+3jjwE1BHPKe4m6oVArw@mail.gmail.com> Date: Sat, 11 Jan 2025 16:17:45 -0500 From: Jamal Hadi Salim <jhs@...atatu.com> To: Jakub Kicinski <kuba@...nel.org> Cc: netdev@...r.kernel.org, jiri@...nulli.us, xiyou.wangcong@...il.com, davem@...emloft.net, edumazet@...gle.com, petrm@...lanox.com, security@...nel.org, g1042620637@...il.com Subject: Re: [PATCH net v4 1/1] net: sched: fix ets qdisc OOB Indexing On Sat, Jan 11, 2025 at 4:01 PM Jakub Kicinski <kuba@...nel.org> wrote: > > On Sat, 11 Jan 2025 09:57:39 -0500 Jamal Hadi Salim wrote: > > Haowei Yan <g1042620637@...il.com> found that ets_class_from_arg() can > > index an Out-Of-Bound class in ets_class_from_arg() when passed clid of > > 0. The overflow may cause local privilege escalation. > > Code is identical to v1 here... > The inequality changed > vs >= > While fixing the code, could you also trim the stack trace? > Like this: > > UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 > index 18446744073709551615 is out of range for type 'ets_class [16]' > CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 > Call Trace: > <TASK> > ets_class_change+0x3d6/0x3f0 > tc_ctl_tclass+0x251/0x910 > rtnetlink_rcv_msg+0x170/0x6f0 > netlink_rcv_skb+0x59/0x110 > rtnetlink_rcv+0x15/0x30 > netlink_unicast+0x1c3/0x2b0 > netlink_sendmsg+0x239/0x4b0 > ____sys_sendmsg+0x3e2/0x410 > ___sys_sendmsg+0x88/0xe0 > __sys_sendmsg+0x69/0xd0 > > the rest has no value. Still want this change? cheers, jamal
Powered by blists - more mailing lists