[net,0/2] dont intepret cls results when asked to drop

Message ID	20230101215744.709178-1-jhs@mojatatu.com (mailing list archive)
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Jamal Hadi Salim <jhs@mojatatu.com> To: davem@davemloft.net, kuba@kernel.org, edumazet@google.com, pabeni@redhat.com Cc: xiyou.wangcong@gmail.com, jiri@resnulli.us, netdev@vger.kernel.org, zengyhkyle@gmail.com, Jamal Hadi Salim <jhs@mojatatu.com> Subject: [PATCH net 0/2] dont intepret cls results when asked to drop Date: Sun, 1 Jan 2023 16:57:42 -0500 Message-Id: <20230101215744.709178-1-jhs@mojatatu.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	dont intepret cls results when asked to drop \| expand [net,0/2] dont intepret cls results when asked to drop [net,1/2] net: sched: atm: dont intepret cls results when asked to drop [net,2/2] net: sched: cbq: dont intepret cls results when asked to drop

Message ID

20230101215744.709178-1-jhs@mojatatu.com (mailing list archive)

Headers

From: Jamal Hadi Salim <jhs@mojatatu.com>
To: davem@davemloft.net, kuba@kernel.org, edumazet@google.com,
        pabeni@redhat.com
Cc: xiyou.wangcong@gmail.com, jiri@resnulli.us, netdev@vger.kernel.org,
        zengyhkyle@gmail.com, Jamal Hadi Salim <jhs@mojatatu.com>
Subject: [PATCH net 0/2] dont intepret cls results when asked to drop
Date: Sun,  1 Jan 2023 16:57:42 -0500
Message-Id: <20230101215744.709178-1-jhs@mojatatu.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

dont intepret cls results when asked to drop | expand

Message

Jamal Hadi Salim Jan. 1, 2023, 9:57 p.m. UTC

It is possible that an error in processing may occur in tcf_classify() which
will result in res.classid being some garbage value. Example of such a code path
is when the classifier goes into a loop due to bad policy. See patch 1/2
for a sample splat.
While the core code reacts correctly and asks the caller to drop the packet
(by returning TC_ACT_SHOT) some callers first intepret the res.class as
a pointer to memory and end up dropping the packet only after some activity with
the pointer. There is likelihood of this resulting in an exploit. So lets fix
all the known qdiscs that behave this way.

Jamal Hadi Salim (2):
  net: sched: atm: dont intepret cls results when asked to drop
  net: sched: cbq: dont intepret cls results when asked to drop

 net/sched/sch_atm.c | 5 ++++-
 net/sched/sch_cbq.c | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 2, 2023, 1:40 p.m. UTC | #1

Hello:

This series was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Sun,  1 Jan 2023 16:57:42 -0500 you wrote:
> It is possible that an error in processing may occur in tcf_classify() which
> will result in res.classid being some garbage value. Example of such a code path
> is when the classifier goes into a loop due to bad policy. See patch 1/2
> for a sample splat.
> While the core code reacts correctly and asks the caller to drop the packet
> (by returning TC_ACT_SHOT) some callers first intepret the res.class as
> a pointer to memory and end up dropping the packet only after some activity with
> the pointer. There is likelihood of this resulting in an exploit. So lets fix
> all the known qdiscs that behave this way.
> 
> [...]

Here is the summary with links:
  - [net,1/2] net: sched: atm: dont intepret cls results when asked to drop
    https://git.kernel.org/netdev/net/c/a2965c7be052
  - [net,2/2] net: sched: cbq: dont intepret cls results when asked to drop
    (no matching commit)

You are awesome, thank you!