MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-07-05 05:15:23 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
58485ff1a7
linux-yocto/net
History
Pedro Tammela a0ec22fa20 net_sched: hfsc: Address reentrant enqueue adding class to eltree twice 
commit ac9fe7dd8e730a103ae4481147395cc73492d786 upstream.

Savino says:
    "We are writing to report that this recent patch
    (141d34391abbb315d68556b7c67ad97885407547) [1]
    can be bypassed, and a UAF can still occur when HFSC is utilized with
    NETEM.

    The patch only checks the cl->cl_nactive field to determine whether
    it is the first insertion or not [2], but this field is only
    incremented by init_vf [3].

    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the
    check and insert the class twice in the eltree.
    Under normal conditions, this would lead to an infinite loop in
    hfsc_dequeue for the reasons we already explained in this report [5].

    However, if TBF is added as root qdisc and it is configured with a
    very low rate,
    it can be utilized to prevent packets from being dequeued.
    This behavior can be exploited to perform subsequent insertions in the
    HFSC eltree and cause a UAF."

To fix both the UAF and the infinite loop, with netem as an hfsc child,
check explicitly in hfsc_enqueue whether the class is already in the eltree
whenever the HFSC_RSC flag is set.

[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547
[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572
[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677
[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574
[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

Fixes: 37d9cf1a3c ("sched: Fix detection of empty queues in child qdiscs")
Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
Reported-by: William Liu <will@willsroot.io>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://patch.msgid.link/20250522181448.1439717-2-pctammela@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-06-04 14:40:25 +02:00
..
6lowpan
9p 9p/net: fix improper handling of bogus negative read/write replies 2025-05-02 07:47:04 +02:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-17 13:34:38 +01:00
8021q net: vlan: don't propagate flags on open 2025-04-25 10:43:31 +02:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-20 17:00:19 +01:00
atm atm: Fix NULL pointer dereference 2025-04-07 10:05:45 +02:00
ax25 ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt 2025-02-21 13:49:56 +01:00
batman-adv batman-adv: Ignore own maximum aggregation size during RX 2025-03-28 21:59:01 +01:00
bluetooth Bluetooth: L2CAP: Fix not checking l2cap_chan security level 2025-06-04 14:40:19 +02:00
bpf bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() 2025-03-07 16:56:37 +01:00
bpfilter
bridge bridge: netfilter: Fix forwarding of fragmented packets 2025-06-04 14:40:19 +02:00
caif
can can: bcm: add missing rcu read protection for procfs content 2025-06-04 14:40:20 +02:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-07-18 13:18:41 +02:00
core af_unix: Add dead flag to struct scm_fp_list. 2025-06-04 14:40:24 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-11 12:08:17 +02:00
dccp net: fix data-races around sk->sk_forward_alloc 2025-01-23 17:17:17 +01:00
devlink devlink: bump the instance index directly when iterating 2024-10-22 15:56:43 +02:00
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-01-25 15:27:38 -08:00
dsa net: dsa: add support for mac_prepare() and mac_finish() calls 2025-05-02 07:46:50 +02:00
ethernet ethernet: Add helper for assigning packet type when dest address does not match device address 2024-05-02 16:29:29 +02:00
ethtool net: ethtool: Don't call .cleanup_data when prepare_data fails 2025-04-25 10:43:25 +02:00
hsr net: hsr: fix fill_frame_info() regression vs VLAN packets 2025-02-21 13:49:23 +01:00
ieee802154 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() 2024-12-14 19:54:41 +01:00
ife net: sched: ife: fix potential use-after-free 2024-01-01 12:38:56 +00:00
ipv4 espintcp: remove encap socket caching to avoid reference leak 2025-06-04 14:40:19 +02:00
ipv6 espintcp: remove encap socket caching to avoid reference leak 2025-06-04 14:40:19 +02:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-12-14 19:53:50 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-08-29 17:30:44 +02:00
key net: af_key: fix sadb_x_filter validation 2023-08-23 17:52:32 +02:00
l2tp genetlink: hold RCU in genlmsg_mcast() 2024-11-01 01:56:00 +01:00
l3mdev
lapb
llc llc: fix data loss when reading from a socket in llc_ui_recvmsg() 2025-06-04 14:40:21 +02:00
mac80211 wifi: mac80211: remove misplaced drv_mgd_complete_tx() call 2025-06-04 14:40:15 +02:00
mac802154 mac802154: check local interfaces before deleting sdata list 2025-01-23 17:17:11 +01:00
mctp net: mctp: Ensure keys maintain only one ref to corresponding dev 2025-05-22 14:10:02 +02:00
mpls net: mpls: error out if inner headers are not set 2024-04-13 13:05:27 +02:00
mptcp mptcp: sockopt: fix getting freebind & transparent 2025-04-25 10:44:00 +02:00
ncsi net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling 2025-02-21 13:49:54 +01:00
netfilter netfilter: conntrack: Bound nf_conntrack sysctl writes 2025-06-04 14:40:07 +02:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-01-25 15:27:20 -08:00
netlink sock_diag: add module pointer to "struct sock_diag_handler" 2024-12-14 19:53:32 +01:00
netrom netrom: check buffer length before accessing it 2025-01-09 13:30:01 +01:00
nfc NFC: nci: Add bounds checking in nci_hci_create_pipe() 2025-02-21 13:49:51 +01:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-05-17 11:55:59 +02:00
openvswitch openvswitch: Fix unsafe attribute parsing in output_userspace() 2025-05-18 08:21:20 +02:00
packet af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK 2025-01-09 13:30:02 +01:00
phonet phonet: fix rtm_phonet_notify() skb allocation 2024-05-17 11:56:12 +02:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-13 18:39:11 +01:00
qrtr net: qrtr: Update packets cloning when broadcasting 2024-10-17 15:21:13 +02:00
rds net:rds: Fix possible deadlock in rds_message_put 2024-08-29 17:30:20 +02:00
rfkill net: rfkill: gpio: Add check for clk_enable() 2024-12-14 19:53:33 +01:00
rose net: rose: lock the socket in rose_bind() 2025-02-21 13:49:37 +01:00
rxrpc rxrpc: Improve setsockopt() handling of malformed user input 2024-12-14 19:53:52 +01:00
sched net_sched: hfsc: Address reentrant enqueue adding class to eltree twice 2025-06-04 14:40:25 +02:00
sctp sctp: add mutual exclusion in proc_sctp_do_udp_port() 2025-05-22 14:10:09 +02:00
smc net/smc: use the correct ndev to find pnetid by pnetid table 2025-06-04 14:40:06 +02:00
strparser strparser: Add read_sock callback 2025-03-07 16:56:37 +01:00
sunrpc SUNRPC: rpcbind should never reset the port to the value '0' 2025-06-04 14:40:03 +02:00
switchdev net: switchdev: Convert blocking notification chain to a raw one 2025-03-28 21:58:49 +01:00
tipc net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done 2025-06-04 14:40:20 +02:00
tls net/tls: fix kernel panic when alloc_page failed 2025-05-22 14:10:03 +02:00
unix af_unix: Fix uninit-value in __unix_walk_scc() 2025-06-04 14:40:25 +02:00
vmw_vsock vsock: avoid timeout during connect() if the socket is closing 2025-04-10 14:33:40 +02:00
wireless wifi: cfg80211: cancel wiphy_work before freeing wiphy 2025-03-28 21:58:48 +01:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-03-26 18:20:42 -04:00
xdp xsk: fix an integer overflow in xp_create_and_assign_umem() 2025-03-28 21:59:01 +01:00
xfrm xfrm: Sanitize marks before insert 2025-06-04 14:40:19 +02:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile af_unix: Remove CONFIG_UNIX_SCM. 2025-06-04 14:40:23 +02:00
socket.c net: explicitly clear the sk pointer, when pf->create fails 2024-10-17 15:22:27 +02:00
sysctl_net.c sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table) 2024-08-11 12:35:51 +02:00