linux

iv/linux

Go to file

Pedro Tammela 3e337087c3 net/sched: sch_qfq: account for stab overhead in qfq_enqueue Lion says: ------- In the QFQ scheduler a similar issue to CVE-2023-31436 persists. Consider the following code in net/sched/sch_qfq.c: static int qfq_enqueue(struct sk_buff skb, struct Qdisc sch, struct sk_buff **to_free) { unsigned int len = qdisc_pkt_len(skb), gso_segs; // ... if (unlikely(cl->agg->lmax < len)) { pr_debug("qfq: increasing maxpkt from %u to %u for class %u", cl->agg->lmax, len, cl->common.classid); err = qfq_change_agg(sch, cl, cl->agg->class_weight, len); if (err) { cl->qstats.drops++; return qdisc_drop(skb, sch, to_free); } // ... } Similarly to CVE-2023-31436, "lmax" is increased without any bounds checks according to the packet length "len". Usually this would not impose a problem because packet sizes are naturally limited. This is however not the actual packet length, rather the "qdisc_pkt_len(skb)" which might apply size transformations according to "struct qdisc_size_table" as created by "qdisc_get_stab()" in net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc. A user may choose virtually any size using such a table. As a result the same issue as in CVE-2023-31436 can occur, allowing heap out-of-bounds read / writes in the kmalloc-8192 cache. ------- We can create the issue with the following commands: tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \ overhead 999999999 linklayer ethernet qfq tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k tc filter add dev $DEV parent 1: matchall classid 1:1 ping -I $DEV 1.1.1.2 This is caused by incorrectly assuming that qdisc_pkt_len() returns a length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX. Fixes: `462dbc9101` ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Reported-by: Lion <nnamrec@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Pedro Tammela <pctammela@mojatatu.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>		2023-07-13 11:11:59 +02:00
arch	riscv, bpf: Fix inconsistent JIT image generation	2023-07-11 09:09:40 +02:00
block	block-6.5-2023-07-03	2023-07-03 18:48:38 -07:00
certs	KEYS: Add missing function documentation	2023-04-24 16:15:52 +03:00
crypto	This update includes the following changes:	2023-06-30 21:27:13 -07:00
Documentation	docs: netdev: update the URL of the status page	2023-07-11 20:27:00 -07:00
drivers	wifi: rtw89: debug: fix error code in rtw89_debug_priv_send_h2c_set()	2023-07-12 17:52:37 -07:00
fs	f2fs update for 6.5-rc1	2023-07-05 14:14:37 -07:00
include	net/sched: make psched_mtu() RTNL-less safe	2023-07-12 15:59:33 -07:00
init	Kbuild updates for v6.5	2023-07-01 09:24:31 -07:00
io_uring	io_uring-6.5-2023-07-03	2023-07-03 18:43:10 -07:00
ipc	Merge branch 'work.namespace' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2023-02-24 19:20:07 -08:00
kernel	bpf: cpumap: Fix memory leak in cpu_map_update_elem	2023-07-11 19:57:03 -07:00
lib	Char/Misc and other driver subsystem updates for 6.5-rc1	2023-07-03 12:46:47 -07:00
LICENSES	LICENSES: Add the copyleft-next-0.3.1 license	2022-11-08 15:44:01 +01:00
mm	gup: make the stack expansion warning a bit more targeted	2023-07-05 09:33:31 -07:00
net	net/sched: sch_qfq: account for stab overhead in qfq_enqueue	2023-07-13 11:11:59 +02:00
rust	rust: error: `impl Debug` for `Error` with `errname()` integration	2023-06-13 01:24:42 +02:00
samples	Including fixes from bluetooth, bpf and wireguard.	2023-07-05 15:44:45 -07:00
scripts	parisc architecture fixes and updates for kernel v6.5-rc1 (pt 2):	2023-07-05 10:28:38 -07:00
security	Scope-based Resource Management infrastructure	2023-07-04 13:50:38 -07:00
sound	soundwire updates for 6.5	2023-07-05 10:54:43 -07:00
tools	selftests: tc-testing: add tests for qfq mtu sanity check	2023-07-13 11:11:59 +02:00
usr	initramfs: Encode dependency on KBUILD_BUILD_TIMESTAMP	2023-06-06 17:54:49 +09:00
virt	ARM64:	2023-07-03 15:32:22 -07:00
.clang-format	iommu: Add for_each_group_device()	2023-05-23 08:15:51 +02:00
.cocciconfig
.get_maintainer.ignore	get_maintainer: add Alan to .get_maintainer.ignore	2022-08-20 15:17:44 -07:00
.gitattributes	.gitattributes: set diff driver for Rust source code files	2023-05-31 17:48:25 +02:00
.gitignore	Revert ".gitignore: ignore .cover and .mbx"	2023-07-04 15:05:12 -07:00
.mailmap	- New Drivers	2023-07-03 10:55:04 -07:00
.rustfmt.toml	rust: add `.rustfmt.toml`	2022-09-28 09:02:20 +02:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	- Address -Wmissing-prototype warnings	2023-06-26 16:43:54 -07:00
Kbuild	Kbuild updates for v6.1	2022-10-10 12:00:45 -07:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	MAINTAINERS: Add another mailing list for QUALCOMM ETHQOS ETHERNET DRIVER	2023-07-11 20:27:30 -07:00
Makefile	Scope-based Resource Management infrastructure	2023-07-04 13:50:38 -07:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.