lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250522181448.1439717-1-pctammela@mojatatu.com>
Date: Thu, 22 May 2025 15:14:46 -0300
From: Pedro Tammela <pctammela@...atatu.com>
To: netdev@...r.kernel.org
Cc: jhs@...atatu.com,
	xiyou.wangcong@...il.com,
	jiri@...nulli.us,
	davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	Pedro Tammela <pctammela@...atatu.com>
Subject: [PATCH net v2 0/2] net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Savino says:
    "We are writing to report that this recent patch
    (141d34391abbb315d68556b7c67ad97885407547)
    can be bypassed, and a UAF can still occur when HFSC is utilized with
    NETEM.

    The patch only checks the cl->cl_nactive field to determine whether
    it is the first insertion or not, but this field is only
    incremented by init_vf.

    By using HFSC_RSC (which uses init_ed), it is possible to bypass the
    check and insert the class twice in the eltree.
    Under normal conditions, this would lead to an infinite loop in
    hfsc_dequeue for the reasons we already explained in this report.

    However, if TBF is added as root qdisc and it is configured with a
    very low rate,
    it can be utilized to prevent packets from being dequeued.
    This behavior can be exploited to perform subsequent insertions in the
    HFSC eltree and cause a UAF."

To fix both the UAF and the infinite loop, with netem as an hfsc child,
check explicitly in hfsc_enqueue whether the class is already in the eltree
whenever the HFSC_RSC flag is set.

Also add a TDC test to reproduce the UAF scenario.

v1 -> v2:
- Added Jamal's Acked-by
- Added Victor's Tested-by
- Added a TDC test
- Called RB_CLEAR_NODE right after class allocation (Eric)

Pedro Tammela (2):
  net_sched: hfsc: Address reentrant enqueue adding class to eltree
    twice
  selftests/tc-testing: Add a test for HFSC eltree double add with
    reentrant enqueue behaviour on netem

 net/sched/sch_hfsc.c                          |  9 ++++-
 .../tc-testing/tc-tests/infra/qdiscs.json     | 35 +++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)

-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ