diff options
| author | David S. Miller <davem@davemloft.net> | 2023-01-02 13:32:43 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2023-01-02 13:32:43 +0000 |
| commit | 819fcf4adfbd55e81c4325e11eccae16ccad4106 (patch) | |
| tree | 4357a3c35a5bb065f830b72ad31fdae1389e7c05 | |
| parent | 91e2286160edd29d3fea8efff2dcda7df321878d (diff) | |
| parent | caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12 (diff) | |
| download | pci-819fcf4adfbd55e81c4325e11eccae16ccad4106.tar.gz | |
Merge branch 'cls_drop-fix'
Jamal Hadi Salim says:
====================
net: dont intepret cls results when asked to drop
It is possible that an error in processing may occur in tcf_classify() which
will result in res.classid being some garbage value. Example of such a code path
is when the classifier goes into a loop due to bad policy. See patch 1/2
for a sample splat.
While the core code reacts correctly and asks the caller to drop the packet
(by returning TC_ACT_SHOT) some callers first intepret the res.class as
a pointer to memory and end up dropping the packet only after some activity with
the pointer. There is likelihood of this resulting in an exploit. So lets fix
all the known qdiscs that behave this way.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/sched/sch_atm.c | 5 | ||||
| -rw-r--r-- | net/sched/sch_cbq.c | 4 |
2 files changed, 6 insertions, 3 deletions
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c index f52255fea652b..4a981ca90b0bf 100644 --- a/net/sched/sch_atm.c +++ b/net/sched/sch_atm.c @@ -393,10 +393,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch, result = tcf_classify(skb, NULL, fl, &res, true); if (result < 0) continue; + if (result == TC_ACT_SHOT) + goto done; + flow = (struct atm_flow_data *)res.class; if (!flow) flow = lookup_flow(sch, res.classid); - goto done; + goto drop; } } flow = NULL; diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c index 6568e17c4c634..36db5f6782f2c 100644 --- a/net/sched/sch_cbq.c +++ b/net/sched/sch_cbq.c @@ -230,6 +230,8 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr) result = tcf_classify(skb, NULL, fl, &res, true); if (!fl || result < 0) goto fallback; + if (result == TC_ACT_SHOT) + return NULL; cl = (void *)res.class; if (!cl) { @@ -250,8 +252,6 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr) case TC_ACT_TRAP: *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN; fallthrough; - case TC_ACT_SHOT: - return NULL; case TC_ACT_RECLASSIFY: return cbq_reclassify(skb, cl); } |