linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	syzbot <syzkaller@googlegroups.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 63/68] sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
Date: Sun,  6 Oct 2019 19:21:39 +0200	[thread overview]
Message-ID: <20191006171138.008238363@linuxfoundation.org> (raw)
In-Reply-To: <20191006171108.150129403@linuxfoundation.org>

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit e9789c7cc182484fc031fd88097eb14cb26c4596 ]

syzbot reported a crash in cbq_normalize_quanta() caused
by an out of range cl->priority.

iproute2 enforces this check, but malicious users do not.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
Modules linked in:
CPU: 1 PID: 26447 Comm: syz-executor.1 Not tainted 5.3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:cbq_normalize_quanta.part.0+0x1fd/0x430 net/sched/sch_cbq.c:902
RSP: 0018:ffff8801a5c333b0 EFLAGS: 00010206
RAX: 0000000020000003 RBX: 00000000fffffff8 RCX: ffffc9000712f000
RDX: 00000000000043bf RSI: ffffffff83be8962 RDI: 0000000100000018
RBP: ffff8801a5c33420 R08: 000000000000003a R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000002ef
R13: ffff88018da95188 R14: dffffc0000000000 R15: 0000000000000015
FS:  00007f37d26b1700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c7cec CR3: 00000001bcd0a006 CR4: 00000000001626f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 [<ffffffff83be9d57>] cbq_normalize_quanta include/net/pkt_sched.h:27 [inline]
 [<ffffffff83be9d57>] cbq_addprio net/sched/sch_cbq.c:1097 [inline]
 [<ffffffff83be9d57>] cbq_set_wrr+0x2d7/0x450 net/sched/sch_cbq.c:1115
 [<ffffffff83bee8a7>] cbq_change_class+0x987/0x225b net/sched/sch_cbq.c:1537
 [<ffffffff83b96985>] tc_ctl_tclass+0x555/0xcd0 net/sched/sch_api.c:2329
 [<ffffffff83a84655>] rtnetlink_rcv_msg+0x485/0xc10 net/core/rtnetlink.c:5248
 [<ffffffff83cadf0a>] netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2510
 [<ffffffff83a7db6d>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5266
 [<ffffffff83cac2c6>] netlink_unicast_kernel net/netlink/af_netlink.c:1324 [inline]
 [<ffffffff83cac2c6>] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1350
 [<ffffffff83cacd4a>] netlink_sendmsg+0x89a/0xd50 net/netlink/af_netlink.c:1939
 [<ffffffff8399d46e>] sock_sendmsg_nosec net/socket.c:673 [inline]
 [<ffffffff8399d46e>] sock_sendmsg+0x12e/0x170 net/socket.c:684
 [<ffffffff8399f1fd>] ___sys_sendmsg+0x81d/0x960 net/socket.c:2359
 [<ffffffff839a2d05>] __sys_sendmsg+0x105/0x1d0 net/socket.c:2397
 [<ffffffff839a2df9>] SYSC_sendmsg net/socket.c:2406 [inline]
 [<ffffffff839a2df9>] SyS_sendmsg+0x29/0x30 net/socket.c:2404
 [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
 [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_cbq.c |   30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1131,6 +1131,26 @@ static const struct nla_policy cbq_polic
 	[TCA_CBQ_POLICE]	= { .len = sizeof(struct tc_cbq_police) },
 };
 
+static int cbq_opt_parse(struct nlattr *tb[TCA_CBQ_MAX + 1], struct nlattr *opt)
+{
+	int err;
+
+	if (!opt)
+		return -EINVAL;
+
+	err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy, NULL);
+	if (err < 0)
+		return err;
+
+	if (tb[TCA_CBQ_WRROPT]) {
+		const struct tc_cbq_wrropt *wrr = nla_data(tb[TCA_CBQ_WRROPT]);
+
+		if (wrr->priority > TC_CBQ_MAXPRIO)
+			err = -EINVAL;
+	}
+	return err;
+}
+
 static int cbq_init(struct Qdisc *sch, struct nlattr *opt)
 {
 	struct cbq_sched_data *q = qdisc_priv(sch);
@@ -1142,10 +1162,7 @@ static int cbq_init(struct Qdisc *sch, s
 	hrtimer_init(&q->delay_timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS_PINNED);
 	q->delay_timer.function = cbq_undelay;
 
-	if (!opt)
-		return -EINVAL;
-
-	err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy, NULL);
+	err = cbq_opt_parse(tb, opt);
 	if (err < 0)
 		return err;
 
@@ -1459,10 +1476,7 @@ cbq_change_class(struct Qdisc *sch, u32
 	struct cbq_class *parent;
 	struct qdisc_rate_table *rtab = NULL;
 
-	if (opt == NULL)
-		return -EINVAL;
-
-	err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy, NULL);
+	err = cbq_opt_parse(tb, opt);
 	if (err < 0)
 		return err;
 

next prev parent reply	other threads:[~2019-10-06 18:01 UTC|newest]

Thread overview: 73+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-06 17:20 [PATCH 4.14 00/68] 4.14.148-stable review Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 01/68] tpm: migrate pubek_show to struct tpm_buf Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 02/68] tpm: use tpm_try_get_ops() in tpm-sysfs.c Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 03/68] tpm: Fix TPM 1.2 Shutdown sequence to prevent future TPM operations Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 04/68] drm/bridge: tc358767: Increase AUX transfer length limit Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 05/68] drm/panel: simple: fix AUO g185han01 horizontal blanking Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 06/68] video: ssd1307fb: Start page range at page_offset Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 07/68] drm/stm: attach gem fence to atomic state Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 08/68] drm/radeon: Fix EEH during kexec Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 09/68] gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 10/68] ipmi_si: Only schedule continuously in the thread in maintenance mode Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 11/68] clk: qoriq: Fix -Wunused-const-variable Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 12/68] clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 13/68] clk: sirf: Dont reference clk_init_data after registration Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 14/68] clk: zx296718: " Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 15/68] powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 16/68] powerpc/rtas: use device model APIs and serialization during LPM Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 17/68] powerpc/futex: Fix warning: oldval may be used uninitialized in this function Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 18/68] powerpc/pseries/mobility: use cond_resched when updating device tree Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 19/68] pinctrl: tegra: Fix write barrier placement in pmx_writel Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 20/68] vfio_pci: Restore original state on release Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 21/68] drm/nouveau/volt: Fix for some cards having 0 maximum voltage Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 22/68] drm/amdgpu/si: fix ASIC tests Greg Kroah-Hartman
2019-10-06 17:20 ` [PATCH 4.14 23/68] powerpc/64s/exception: machine check use correct cfar for late handler Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 24/68] powerpc/pseries: correctly track irq state in default idle Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 25/68] arm64: fix unreachable code issue with cmpxchg Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 26/68] clk: at91: select parent if main oscillator or bypass is enabled Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 27/68] scsi: core: Reduce memory required for SCSI logging Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 28/68] dma-buf/sw_sync: Synchronize signal vs syncpt free Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 29/68] MIPS: tlbex: Explicitly cast _PAGE_NO_EXEC to a boolean Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 30/68] i2c-cht-wc: Fix lockdep warning Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 31/68] mfd: intel-lpss: Remove D3cold delay Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 32/68] PCI: tegra: Fix OF node reference leak Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 33/68] livepatch: Nullify obj->mod in klp_module_coming()s error path Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 34/68] ARM: 8898/1: mm: Dont treat faults reported from cache maintenance as writes Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 35/68] rtc: snvs: fix possible race condition Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 36/68] HID: apple: Fix stuck function keys when using FN Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 37/68] PCI: rockchip: Propagate errors for optional regulators Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 38/68] PCI: imx6: " Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 39/68] PCI: exynos: Propagate errors for optional PHYs Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 40/68] security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb() Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 41/68] ARM: 8903/1: ensure that usable memory in bank 0 starts from a PMD-aligned address Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 42/68] fat: work around race with userspaces read via blockdev while mounting Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 43/68] pktcdvd: remove warning on attempting to register non-passthrough dev Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 44/68] hypfs: Fix error number left in struct pointer member Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 45/68] kbuild: clean compressed initramfs image Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 46/68] ocfs2: wait for recovering done after direct unlock request Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 47/68] kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 48/68] bpf: fix use after free in prog symbol exposure Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 49/68] cxgb4:Fix out-of-bounds MSI-X info array access Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 50/68] erspan: remove the incorrect mtu limit for erspan Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 51/68] hso: fix NULL-deref on tty open Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 52/68] ipv6: drop incoming packets having a v4mapped source address Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 53/68] net: ipv4: avoid mixed n_redirects and rate_tokens usage Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 54/68] net: qlogic: Fix memory leak in ql_alloc_large_buffers Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 55/68] net: Unpublish sk from sk_reuseport_cb before call_rcu Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 56/68] nfc: fix memory leak in llcp_sock_bind() Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 57/68] qmi_wwan: add support for Cinterion CLS8 devices Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 58/68] sch_dsmark: fix potential NULL deref in dsmark_init() Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 59/68] vsock: Fix a lockdep warning in __vsock_release() Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 60/68] net/rds: Fix error handling in rds_ib_add_one() Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 61/68] xen-netfront: do not use ~0U as error return value for xennet_fill_frags() Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 62/68] tipc: fix unlimited bundling of small messages Greg Kroah-Hartman
2019-10-06 17:21 ` Greg Kroah-Hartman [this message]
2019-10-06 17:21 ` [PATCH 4.14 64/68] ipv6: Handle missing host route in __ipv6_ifa_notify Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 65/68] Smack: Dont ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 66/68] smack: use GFP_NOFS while holding inode_smack::smk_lock Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 67/68] NFC: fix attrs checks in netlink interface Greg Kroah-Hartman
2019-10-06 17:21 ` [PATCH 4.14 68/68] kexec: bail out upon SIGKILL when allocating memory Greg Kroah-Hartman
2019-10-06 23:01 ` [PATCH 4.14 00/68] 4.14.148-stable review kernelci.org bot
2019-10-07 10:08 ` Jon Hunter
2019-10-07 14:32 ` Guenter Roeck
2019-10-07 15:52 ` Daniel Díaz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191006171138.008238363@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).