* [PATCH net] sch_sfq: validate silly quantum values
@ 2020-04-27 1:19 Eric Dumazet
2020-04-27 18:50 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Eric Dumazet @ 2020-04-27 1:19 UTC (permalink / raw)
To: David S . Miller
Cc: netdev, Eric Dumazet, Eric Dumazet, syzbot+0251e883fe39e7a0cb0a,
Jason A . Donenfeld
syzbot managed to set up sfq so that q->scaled_quantum was zero,
triggering an infinite loop in sfq_dequeue()
More generally, we must only accept quantum between 1 and 2^18 - 7,
meaning scaled_quantum must be in [1, 0x7FFF] range.
Otherwise, we also could have a loop in sfq_dequeue()
if scaled_quantum happens to be 0x8000, since slot->allot
could indefinitely switch between 0 and 0x8000.
Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
---
net/sched/sch_sfq.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index c787d4d46017b4b41b8eb6d41f2b0a44560ff5bf..5a6def5e4e6df2e7b66c88aa877c7318270d48be 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -637,6 +637,15 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
if (ctl->divisor &&
(!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
return -EINVAL;
+
+ /* slot->allot is a short, make sure quantum is not too big. */
+ if (ctl->quantum) {
+ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
+
+ if (scaled <= 0 || scaled > SHRT_MAX)
+ return -EINVAL;
+ }
+
if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
ctl_v1->Wlog))
return -EINVAL;
--
2.26.2.303.gf8c07b1a785-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] sch_sfq: validate silly quantum values
2020-04-27 1:19 [PATCH net] sch_sfq: validate silly quantum values Eric Dumazet
@ 2020-04-27 18:50 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2020-04-27 18:50 UTC (permalink / raw)
To: edumazet; +Cc: netdev, eric.dumazet, syzbot+0251e883fe39e7a0cb0a, Jason
From: Eric Dumazet <edumazet@google.com>
Date: Sun, 26 Apr 2020 18:19:07 -0700
> syzbot managed to set up sfq so that q->scaled_quantum was zero,
> triggering an infinite loop in sfq_dequeue()
>
> More generally, we must only accept quantum between 1 and 2^18 - 7,
> meaning scaled_quantum must be in [1, 0x7FFF] range.
>
> Otherwise, we also could have a loop in sfq_dequeue()
> if scaled_quantum happens to be 0x8000, since slot->allot
> could indefinitely switch between 0 and 0x8000.
>
> Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
Applied and queued up for -stable, thanks Eric.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-04-27 18:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-27 1:19 [PATCH net] sch_sfq: validate silly quantum values Eric Dumazet
2020-04-27 18:50 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.