From: Jamal Hadi Salim <jhs@mojatatu.com>
To: davem@davemloft.net, kuba@kernel.org, edumazet@google.com,
pabeni@redhat.com
Cc: xiyou.wangcong@gmail.com, jiri@resnulli.us,
netdev@vger.kernel.org, zengyhkyle@gmail.com,
Jamal Hadi Salim <jhs@mojatatu.com>
Subject: [PATCH net 0/2] dont intepret cls results when asked to drop
Date: Sun, 1 Jan 2023 16:57:42 -0500 [thread overview]
Message-ID: <20230101215744.709178-1-jhs@mojatatu.com> (raw)
It is possible that an error in processing may occur in tcf_classify() which
will result in res.classid being some garbage value. Example of such a code path
is when the classifier goes into a loop due to bad policy. See patch 1/2
for a sample splat.
While the core code reacts correctly and asks the caller to drop the packet
(by returning TC_ACT_SHOT) some callers first intepret the res.class as
a pointer to memory and end up dropping the packet only after some activity with
the pointer. There is likelihood of this resulting in an exploit. So lets fix
all the known qdiscs that behave this way.
Jamal Hadi Salim (2):
net: sched: atm: dont intepret cls results when asked to drop
net: sched: cbq: dont intepret cls results when asked to drop
net/sched/sch_atm.c | 5 ++++-
net/sched/sch_cbq.c | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
--
2.34.1
next reply other threads:[~2023-01-01 21:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-01 21:57 Jamal Hadi Salim [this message]
2023-01-01 21:57 ` [PATCH net 1/2] net: sched: atm: dont intepret cls results when asked to drop Jamal Hadi Salim
2023-01-01 21:57 ` [PATCH net 2/2] net: sched: cbq: " Jamal Hadi Salim
2023-01-02 13:40 ` [PATCH net 0/2] " patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230101215744.709178-1-jhs@mojatatu.com \
--to=jhs@mojatatu.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xiyou.wangcong@gmail.com \
--cc=zengyhkyle@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).