MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-07-05 13:25:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
ba9210b8c9
linux-yocto/net
History
Pedro Tammela 2f2190ce4c net_sched: hfsc: Address reentrant enqueue adding class to eltree twice 
commit ac9fe7dd8e730a103ae4481147395cc73492d786 upstream.

Savino says:
    "We are writing to report that this recent patch
    (141d34391abbb315d68556b7c67ad97885407547) [1]
    can be bypassed, and a UAF can still occur when HFSC is utilized with
    NETEM.

    The patch only checks the cl->cl_nactive field to determine whether
    it is the first insertion or not [2], but this field is only
    incremented by init_vf [3].

    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the
    check and insert the class twice in the eltree.
    Under normal conditions, this would lead to an infinite loop in
    hfsc_dequeue for the reasons we already explained in this report [5].

    However, if TBF is added as root qdisc and it is configured with a
    very low rate,
    it can be utilized to prevent packets from being dequeued.
    This behavior can be exploited to perform subsequent insertions in the
    HFSC eltree and cause a UAF."

To fix both the UAF and the infinite loop, with netem as an hfsc child,
check explicitly in hfsc_enqueue whether the class is already in the eltree
whenever the HFSC_RSC flag is set.

[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547
[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572
[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677
[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574
[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

Fixes: 37d9cf1a3c ("sched: Fix detection of empty queues in child qdiscs")
Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
Reported-by: William Liu <will@willsroot.io>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://patch.msgid.link/20250522181448.1439717-2-pctammela@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-06-04 14:43:51 +02:00
..
6lowpan ipv6: eliminate ndisc_ops_is_useropt() 2024-08-12 17:23:57 -07:00
9p 9p/trans_fd: mark concurrent read and writes to p9_conn->err 2025-05-02 07:59:20 +02:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-17 13:40:37 +01:00
8021q net: vlan: don't propagate flags on open 2025-04-20 10:15:21 +02:00
appletalk
atm atm: Fix NULL pointer dereference 2025-04-07 10:08:35 +02:00
ax25 ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt 2025-02-21 14:01:16 +01:00
batman-adv batman-adv: Ignore own maximum aggregation size during RX 2025-03-28 22:03:31 +01:00
bluetooth Bluetooth: L2CAP: Fix not checking l2cap_chan security level 2025-05-29 11:03:16 +02:00
bpf bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() 2025-02-27 04:30:18 -08:00
bridge bridge: netfilter: Fix forwarding of fragmented packets 2025-05-29 11:03:16 +02:00
caif move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
can can: bcm: add missing rcu read protection for procfs content 2025-05-29 11:03:19 +02:00
ceph ceph: allocate sparse_ext map only for sparse reads 2025-01-02 10:34:09 +01:00
core net: flush_backlog() small changes 2025-05-29 11:03:01 +02:00
dcb
dccp dccp: Fix memory leak in dccp_feat_change_recv 2024-12-14 20:03:05 +01:00
devlink devlink: fix xa_alloc_cyclic() error handling 2025-03-28 22:03:27 +01:00
dns_resolver
dsa net: dsa: microchip: linearize skb for tail-tagging switches 2025-05-29 11:03:20 +02:00
ethernet
ethtool ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() 2025-04-25 10:47:43 +02:00
handshake net/handshake: use sockfd_put() helper 2024-08-27 16:09:25 -07:00
hsr net: hsr: Fix PRP duplicate detection 2025-05-29 11:02:20 +02:00
ieee802154 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() 2024-12-14 20:03:47 +01:00
ife
ipv4 xfrm: Fix UDP GRO handling for some corner cases 2025-05-29 11:03:14 +02:00
ipv6 xfrm: Fix UDP GRO handling for some corner cases 2025-05-29 11:03:14 +02:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-12-05 14:02:31 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-08-19 18:36:12 -07:00
key xfrm: Add support for per cpu xfrm state handling. 2025-02-08 09:58:00 +01:00
l2tp net/l2tp: fix warning in l2tp_exit_net found by syzbot 2024-12-05 14:02:31 +01:00
l3mdev
lapb
llc llc: fix data loss when reading from a socket in llc_ui_recvmsg() 2025-05-29 11:03:20 +02:00
mac80211 wifi: mac80211: set ieee80211_prep_tx_info::link_id upon Auth Rx 2025-05-29 11:02:56 +02:00
mac802154 mac802154: check local interfaces before deleting sdata list 2025-01-23 17:22:54 +01:00
mctp net: mctp: Ensure keys maintain only one ref to corresponding dev 2025-05-22 14:29:40 +02:00
mpls mpls: Handle error of rtnl_register_module(). 2024-10-10 15:39:35 +02:00
mptcp mptcp: pm: userspace: flags: clearer msg if no remote addr 2025-05-29 11:02:56 +02:00
ncsi net/ncsi: wait for the last response to Deselect Package before configuring channel 2025-02-17 10:05:41 +01:00
netfilter netfilter: conntrack: Bound nf_conntrack sysctl writes 2025-05-29 11:02:20 +02:00
netlabel
netlink netlink: fix false positive warning in extack during dumps 2024-12-05 14:02:31 +01:00
netrom netrom: check buffer length before accessing it 2025-01-09 13:33:38 +01:00
nfc NFC: nci: Add bounds checking in nci_hci_create_pipe() 2025-02-17 10:05:40 +01:00
nsh
openvswitch openvswitch: Fix unsafe attribute parsing in output_userspace() 2025-05-18 08:24:47 +02:00
packet af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK 2025-01-09 13:33:42 +01:00
phonet phonet: Handle error of rtnl_register_module(). 2024-10-10 15:39:36 +02:00
psample psample: adjust size if rate_as_probability is set 2024-12-27 14:02:06 +01:00
qrtr net: qrtr: Update packets cloning when broadcasting 2024-09-24 10:48:16 +02:00
rds rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy 2025-01-17 13:40:47 +01:00
rfkill net: rfkill: gpio: Add check for clk_enable() 2024-12-05 14:01:57 +01:00
rose net: rose: lock the socket in rose_bind() 2025-02-17 10:05:01 +01:00
rxrpc rxrpc: rxperf: Fix missing decoding of terminal magic cookie 2025-03-07 18:25:29 +01:00
sched net_sched: hfsc: Address reentrant enqueue adding class to eltree twice 2025-06-04 14:43:51 +02:00
sctp sctp: detect and prevent references to a freed transport in sendmsg 2025-04-20 10:15:50 +02:00
smc net/smc: use the correct ndev to find pnetid by pnetid table 2025-05-29 11:02:18 +02:00
strparser strparser: Add read_sock callback 2025-02-27 04:30:19 -08:00
sunrpc SUNRPC: rpcbind should never reset the port to the value '0' 2025-05-29 11:02:06 +02:00
switchdev net: switchdev: Convert blocking notification chain to a raw one 2025-03-22 12:54:12 -07:00
tipc net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done 2025-05-29 11:03:18 +02:00
tls net/tls: fix kernel panic when alloc_page failed 2025-05-22 14:29:43 +02:00
unix splice: do not checksum AF_UNIX sockets 2024-12-19 18:12:59 +01:00
vmw_vsock vsock: avoid timeout during connect() if the socket is closing 2025-04-10 14:39:34 +02:00
wireless wifi: cfg80211: allow IR in 20 MHz configurations 2025-05-29 11:02:23 +02:00
x25
xdp xsk: Fix race condition in AF_XDP generic RX path 2025-05-09 09:50:38 +02:00
xfrm xfrm: Sanitize marks before insert 2025-05-29 11:03:15 +02:00
compat.c
devres.c
Kconfig memory-provider: disable building dmabuf mp on !CONFIG_PAGE_POOL 2024-09-13 11:41:45 -07:00
Kconfig.debug
Makefile
socket.c net: explicitly clear the sk pointer, when pf->create fails 2024-10-07 16:21:59 -07:00
sysctl_net.c