[PATCH 4.14] net/sched: sch_hfsc: Ensure inner classes have fsc curve

[PATCH 4.14] net/sched: sch_hfsc: Ensure inner classes have fsc curve

[Shaoying Xu]

From: Budimir Markovic <markovicbudimir@gmail.com>

[ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ]

HFSC assumes that inner classes have an fsc curve, but it is currently
possible for classes without an fsc curve to become parents. This leads
to bugs including a use-after-free.

Don't allow non-root classes without HFSC_FSC to become parents.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ v4.14: Delete NL_SET_ERR_MSG because extack is not added to hfsc_change_class ]
Cc: <stable@vger.kernel.org> # 4.14 
Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
---
 net/sched/sch_hfsc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 3f88b75488b0..3a43abe4d9c4 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1020,6 +1020,8 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 		if (parent == NULL)
 			return -ENOENT;
 	}
+	if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root)
+		return -EINVAL;
 
 	if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
 		return -EINVAL;
-- 
2.40.1

Re: [PATCH 4.14] net/sched: sch_hfsc: Ensure inner classes have fsc curve

[Shaoying Xu]

Hi Budimir, Greg,

Sorry to bother again with this patch but it fixes the CVE-2023-4623 and has also been backported to all stable kernels other than v4.14 so I wonder is there a reason to skip v4.14? I removed the NL_SET_ERR_MSG call because extack is not added to hfsc_change_class in 4.14 and hope to get some confirmation if it can be applied to 4.14 tree. 

Thanks,
Shaoying

< On 2023-09-20, 10:52 AM, "Xu, Shaoying" <shaoyi@amazon.com <mailto:shaoyi@amazon.com>> wrote:
< 
< 
< From: Budimir Markovic <markovicbudimir@gmail.com <mailto:markovicbudimir@gmail.com>>
< 
< 
< [ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ]
< 
< 
< HFSC assumes that inner classes have an fsc curve, but it is currently
< possible for classes without an fsc curve to become parents. This leads
< to bugs including a use-after-free.
< 
< 
< Don't allow non-root classes without HFSC_FSC to become parents.
< 
< 
< Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
< Reported-by: Budimir Markovic <markovicbudimir@gmail.com <mailto:markovicbudimir@gmail.com>>
< Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com <mailto:markovicbudimir@gmail.com>>
< Acked-by: Jamal Hadi Salim <jhs@mojatatu.com <mailto:jhs@mojatatu.com>>
< Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com <mailto:20230824084905.422-1-markovicbudimir@gmail.com>
< Signed-off-by: Jakub Kicinski <kuba@kernel.org <mailto:kuba@kernel.org>>
< [ v4.14: Delete NL_SET_ERR_MSG because extack is not added to hfsc_change_class ]
< Cc: <stable@vger.kernel.org <mailto:stable@vger.kernel.org>> # 4.14 
< Signed-off-by: Shaoying Xu <shaoyi@amazon.com <mailto:shaoyi@amazon.com>>
< ---
< net/sched/sch_hfsc.c | 2 ++
< 1 file changed, 2 insertions(+)
< 
< 
< diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
< index 3f88b75488b0..3a43abe4d9c4 100644
< --- a/net/sched/sch_hfsc.c
< +++ b/net/sched/sch_hfsc.c
< @@ -1020,6 +1020,8 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
< if (parent == NULL)
< return -ENOENT;
< }
< + if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root)
< + return -EINVAL;
< 
< 
< if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
< return -EINVAL;
< -- 
< 2.40.1
< 

Re: [PATCH 4.14] net/sched: sch_hfsc: Ensure inner classes have fsc curve

[Greg KH]

On Wed, Sep 27, 2023 at 03:21:52AM +0000, Shaoying Xu wrote:
> Hi Budimir, Greg,
> 
> Sorry to bother again with this patch but it fixes the CVE-2023-4623 and has also been backported to all stable kernels other than v4.14 so I wonder is there a reason to skip v4.14? I removed the NL_SET_ERR_MSG call because extack is not added to hfsc_change_class in 4.14 and hope to get some confirmation if it can be applied to 4.14 tree. 
> 
> Thanks,
> Shaoying
> 
> < On 2023-09-20, 10:52 AM, "Xu, Shaoying" <shaoyi@amazon.com <mailto:shaoyi@amazon.com>> wrote:

You sent this less than a week ago (by a few hours).  Please relax and
be patient for it to be processed, ESPECIALLY for such an older and
slow-moving kernel like 4.14, there should not be any real rush here,
right?

thanks,

greg k-h

Re: [PATCH 4.14] net/sched: sch_hfsc: Ensure inner classes have fsc curve

[Greg KH]

On Wed, Sep 20, 2023 at 05:51:45PM +0000, Shaoying Xu wrote:
> From: Budimir Markovic <markovicbudimir@gmail.com>
> 
> [ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ]
> 
> HFSC assumes that inner classes have an fsc curve, but it is currently
> possible for classes without an fsc curve to become parents. This leads
> to bugs including a use-after-free.
> 
> Don't allow non-root classes without HFSC_FSC to become parents.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
> Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> [ v4.14: Delete NL_SET_ERR_MSG because extack is not added to hfsc_change_class ]
> Cc: <stable@vger.kernel.org> # 4.14 

Trailing whitespace, please fix your editor :(

Anyway, now queued up, thanks.

greg k-h