lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CALYGNiPSPCS5K8moi_Yvzv2GJ14oK-bc+t75tuDiF8cCR=JqLA@mail.gmail.com>
Date: Tue, 15 Apr 2025 10:08:40 +0200
From: Konstantin Khlebnikov <koct9i@...il.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: netdev@...r.kernel.org, jhs@...atatu.com, jiri@...nulli.us, 
	gerrard.tai@...rlabs.sg
Subject: Re: [Patch net 1/2] net_sched: hfsc: Fix a UAF vulnerability in class handling

On Mon, 14 Apr 2025 at 21:04, Cong Wang <xiyou.wangcong@...il.com> wrote:
>
> On Mon, Apr 14, 2025 at 12:09:54PM +0200, Konstantin Khlebnikov wrote:
> > On Mon, 14 Apr 2025 at 11:39, Konstantin Khlebnikov <koct9i@...il.com> wrote:
> > >
> > > >                 if (cl->qdisc->q.qlen != 0) {
> > > > -                       int len = qdisc_peek_len(cl->qdisc);
> > > > -
> > >
> > > I don't see any functional changes in the code.
> >
> > Oh, I see. "peek" indeed can drop some packets.
> > But it is supposed to return skb, which should still be still part of the queue.
> > I guess you are also seeing the warning "%s: %s qdisc %X: is
> > non-work-conserving?".
> >
> > Actually, following code cares about size of next packet so it could
> > be clearer to rewrite it as:
>
> Actually the bug happened when ->peek() returns NULL (hence len = 0),
> because otherwise implementation like qdisc_peek_dequeued() would just
> add the qlen back:
>
> 1125         /* we can reuse ->gso_skb because peek isn't called for root qdiscs */
> 1126         if (!skb) {
> 1127                 skb = sch->dequeue(sch);
> 1128
> 1129                 if (skb) {
> 1130                         __skb_queue_head(&sch->gso_skb, skb);
> 1131                         /* it's still part of the queue */
> 1132                         qdisc_qstats_backlog_inc(sch, skb);
> 1133                         sch->q.qlen++;
>
> To me, it is at least harder to interpret len!=0, qlen is more straight
> forward and easier to understand. And more importantly update_vf() tests
> qlen too, so it is at least more consistent if we just use qlen across
> the entire HFSC code.

Ok, that's a matter of taste.

> Thanks.

Reviewed-by: Konstantin Khlebnikov <koct9i@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ