From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Haowei Yan <g1042620637@gmail.com>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Eric Dumazet <edumazet@google.com>,
Petr Machata <petrm@nvidia.com>, Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.15 10/24] net: sched: fix ets qdisc OOB Indexing
Date: Thu, 30 Jan 2025 15:02:02 +0100 [thread overview]
Message-ID: <20250130140127.712306664@linuxfoundation.org> (raw)
In-Reply-To: <20250130140127.295114276@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
commit d62b04fca4340a0d468d7853bd66e511935a18cb upstream.
Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can
index an Out-Of-Bound class in ets_class_from_arg() when passed clid of
0. The overflow may cause local privilege escalation.
[ 18.852298] ------------[ cut here ]------------
[ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20
[ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]'
[ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17
[ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 18.856532] Call Trace:
[ 18.857441] <TASK>
[ 18.858227] dump_stack_lvl+0xc2/0xf0
[ 18.859607] dump_stack+0x10/0x20
[ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0
[ 18.864022] ets_class_change+0x3d6/0x3f0
[ 18.864322] tc_ctl_tclass+0x251/0x910
[ 18.864587] ? lock_acquire+0x5e/0x140
[ 18.865113] ? __mutex_lock+0x9c/0xe70
[ 18.866009] ? __mutex_lock+0xa34/0xe70
[ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0
[ 18.866806] ? __lock_acquire+0x578/0xc10
[ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 18.867503] netlink_rcv_skb+0x59/0x110
[ 18.867776] rtnetlink_rcv+0x15/0x30
[ 18.868159] netlink_unicast+0x1c3/0x2b0
[ 18.868440] netlink_sendmsg+0x239/0x4b0
[ 18.868721] ____sys_sendmsg+0x3e2/0x410
[ 18.869012] ___sys_sendmsg+0x88/0xe0
[ 18.869276] ? rseq_ip_fixup+0x198/0x260
[ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190
[ 18.869900] ? trace_hardirqs_off+0x5a/0xd0
[ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220
[ 18.870547] ? do_syscall_64+0x93/0x150
[ 18.870821] ? __memcg_slab_free_hook+0x69/0x290
[ 18.871157] __sys_sendmsg+0x69/0xd0
[ 18.871416] __x64_sys_sendmsg+0x1d/0x30
[ 18.871699] x64_sys_call+0x9e2/0x2670
[ 18.871979] do_syscall_64+0x87/0x150
[ 18.873280] ? do_syscall_64+0x93/0x150
[ 18.874742] ? lock_release+0x7b/0x160
[ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0
[ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210
[ 18.879608] ? irqentry_exit+0x77/0xb0
[ 18.879808] ? clear_bhb_loop+0x15/0x70
[ 18.880023] ? clear_bhb_loop+0x15/0x70
[ 18.880223] ? clear_bhb_loop+0x15/0x70
[ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 18.880683] RIP: 0033:0x44a957
[ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10
[ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957
[ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003
[ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0
[ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001
[ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001
[ 18.888395] </TASK>
[ 18.888610] ---[ end trace ]---
Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
Reported-by: Haowei Yan <g1042620637@gmail.com>
Suggested-by: Haowei Yan <g1042620637@gmail.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20250111145740.74755-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, un
{
struct ets_sched *q = qdisc_priv(sch);
+ if (arg == 0 || arg > q->nbands)
+ return NULL;
return &q->classes[arg - 1];
}
next prev parent reply other threads:[~2025-01-30 14:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-30 14:01 [PATCH 5.15 00/24] 5.15.178-rc1 review Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 5.15 01/24] ASoC: wm8994: Add depends on MFD core Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 5.15 02/24] ASoC: samsung: Add missing selects for MFD_WM8994 Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 5.15 03/24] seccomp: Stub for !CONFIG_SECCOMP Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 5.15 04/24] scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 5.15 05/24] irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 5.15 06/24] ASoC: samsung: Add missing depends on I2C Greg Kroah-Hartman
2025-01-30 14:01 ` [PATCH 5.15 07/24] regmap: detach regmap from dev on regmap_exit Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 08/24] mptcp: dont always assume copied data in mptcp_cleanup_rbuf() Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 09/24] gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Greg Kroah-Hartman
2025-01-30 14:02 ` Greg Kroah-Hartman [this message]
2025-01-30 14:02 ` [PATCH 5.15 11/24] vfio/platform: check the bounds of read/write syscalls Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 12/24] Bluetooth: SCO: Fix not validating setsockopt user input Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 13/24] Bluetooth: RFCOMM: " Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 14/24] fs/ntfs3: Additional check in ntfs_file_release Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 15/24] platform/chrome: cros_ec_typec: Check for EC driver Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 16/24] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 17/24] scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 18/24] wifi: iwlwifi: add a few rate index validity checks Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 19/24] USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 20/24] Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 21/24] ALSA: usb-audio: Add delay quirk for USB Audio Device Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 22/24] Input: atkbd - map F23 key to support default copilot shortcut Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 23/24] Input: xpad - add unofficial Xbox 360 wireless receiver clone Greg Kroah-Hartman
2025-01-30 14:02 ` [PATCH 5.15 24/24] Input: xpad - add support for wooting two he (arm) Greg Kroah-Hartman
2025-01-30 18:47 ` [PATCH 5.15 00/24] 5.15.178-rc1 review Mark Brown
2025-01-30 21:11 ` Florian Fainelli
2025-01-31 5:38 ` Jon Hunter
2025-01-31 14:04 ` Ron Economos
2025-01-31 15:23 ` Naresh Kamboju
2025-01-31 17:01 ` Muhammad Usama Anjum
2025-02-01 6:30 ` Vijayendra Suman
2025-02-01 8:14 ` [PATCH 5.15] " Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250130140127.712306664@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=g1042620637@gmail.com \
--cc=jhs@mojatatu.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=petrm@nvidia.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.