lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z/1cHjRv/oKL1UlL@pop-os.localdomain>
Date: Mon, 14 Apr 2025 12:03:58 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Konstantin Khlebnikov <koct9i@...il.com>
Cc: netdev@...r.kernel.org, jhs@...atatu.com, jiri@...nulli.us,
	gerrard.tai@...rlabs.sg
Subject: Re: [Patch net 1/2] net_sched: hfsc: Fix a UAF vulnerability in
 class handling

On Mon, Apr 14, 2025 at 12:09:54PM +0200, Konstantin Khlebnikov wrote:
> On Mon, 14 Apr 2025 at 11:39, Konstantin Khlebnikov <koct9i@...il.com> wrote:
> >
> > >                 if (cl->qdisc->q.qlen != 0) {
> > > -                       int len = qdisc_peek_len(cl->qdisc);
> > > -
> >
> > I don't see any functional changes in the code.
> 
> Oh, I see. "peek" indeed can drop some packets.
> But it is supposed to return skb, which should still be still part of the queue.
> I guess you are also seeing the warning "%s: %s qdisc %X: is
> non-work-conserving?".
> 
> Actually, following code cares about size of next packet so it could
> be clearer to rewrite it as:

Actually the bug happened when ->peek() returns NULL (hence len = 0),
because otherwise implementation like qdisc_peek_dequeued() would just
add the qlen back:

1125         /* we can reuse ->gso_skb because peek isn't called for root qdiscs */
1126         if (!skb) {
1127                 skb = sch->dequeue(sch);
1128
1129                 if (skb) {
1130                         __skb_queue_head(&sch->gso_skb, skb);
1131                         /* it's still part of the queue */
1132                         qdisc_qstats_backlog_inc(sch, skb);
1133                         sch->q.qlen++;

To me, it is at least harder to interpret len!=0, qlen is more straight
forward and easier to understand. And more importantly update_vf() tests
qlen too, so it is at least more consistent if we just use qlen across
the entire HFSC code.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ