korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-21 20:22:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
3b3a2a9c63
linux/net
History
Stephen Hemminger 3b3a2a9c63 sch/netem: fix use after free in netem_dequeue 
If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")

Commands to trigger KASAN UaF:

ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF

Fixes: 50612537e9 ("netem: fix classful handling")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Link: https://patch.msgid.link/20240901182438.4992-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-09-03 11:44:23 -07:00
..
6lowpan
9p Two fixes headed to stable trees: 2024-05-29 09:25:15 -07:00
802
8021q net: Add struct kernel_ethtool_ts_info 2024-07-15 08:02:26 -07:00
appletalk
atm atm: clean up a put_user() calls 2024-06-14 19:08:50 -07:00
ax25 ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() 2024-06-01 15:49:42 -07:00
batman-adv Revert "batman-adv: prefer kfree_rcu() over call_rcu() with free-only callbacks" 2024-06-12 20:18:00 +02:00
bluetooth Bluetooth: MGMT: Ignore keys being loaded with invalid type 2024-08-30 17:57:11 -04:00
bpf bpf-next-for-netdev 2024-07-09 17:01:46 +02:00
bridge netfilter: nf_queue: drop packets with cloned unconfirmed conntracks 2024-08-14 23:37:23 +02:00
caif net: caif: remove unused structs 2024-06-05 10:18:06 +01:00
can can: bcm: Remove proc entry when dev is unregistered. 2024-08-06 09:25:12 +02:00
ceph libceph: fix crush_choose_firstn() kernel-doc warnings 2024-07-11 16:33:07 +02:00
core ethtool: check device is present when getting link settings 2024-08-26 14:03:02 -07:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-27 12:14:11 -07:00
devlink devlink: Constify the 'table_ops' parameter of devl_dpipe_table_register() 2024-06-05 10:24:57 +01:00
dns_resolver
dsa net: dsa: provide a software untagging function on RX for VLAN-aware bridges 2024-08-16 09:59:32 +01:00
ethernet
ethtool ethtool: check device is present when getting link settings 2024-08-26 14:03:02 -07:00
handshake
hsr net: hsr: cosmetic: Remove extra white space 2024-06-19 17:32:57 -07:00
ieee802154 bpf-next-for-netdev 2024-05-28 07:27:29 -07:00
ife
ipv4 tcp_bpf: fix return value of tcp_bpf_sendmsg() 2024-08-30 11:09:10 -07:00
ipv6 ipv6: prevent possible UAF in ip6_xmit() 2024-08-21 17:35:49 -07:00
iucv s390/iucv: Fix vargs handling in iucv_alloc_device() 2024-08-22 13:09:20 -07:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-08-19 18:36:12 -07:00
key
l2tp l2tp: fix lockdep splat 2024-08-08 08:28:24 -07:00
l3mdev
lapb
llc llc: Constify struct llc_sap_state_trans 2024-07-15 08:51:19 -07:00
mac80211 wifi: mac80211: free skb on error path in ieee80211_beacon_get_ap() 2024-08-26 17:45:45 +02:00
mac802154 net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() 2024-06-03 11:20:56 +02:00
mctp net: mctp: test: Use correct skb for route input check 2024-08-19 17:48:00 -07:00
mpls sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
mptcp mptcp: pm: ADD_ADDR 0 is not a new address 2024-08-29 10:39:50 +02:00
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-06-01 16:21:44 -07:00
netfilter netfilter: flowtable: validate vlan header 2024-08-22 12:14:18 +02:00
netlabel
netlink net: netlink: remove the cb_mutex "injection" from netlink core 2024-06-10 13:15:40 +01:00
netrom netrom: Fix a memory leak in nr_heartbeat_expiry() 2024-06-17 13:06:23 +01:00
nfc
nsh
openvswitch net: ovs: fix ovs_drop_reasons error 2024-08-22 13:09:15 -07:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-07-15 13:19:17 -07:00
phonet sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
psample net: psample: fix flag being set in wrong skb 2024-07-11 18:11:31 -07:00
qrtr net: qrtr: ns: Ignore ENODEV failures in ns 2024-06-14 13:17:21 +02:00
rds sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
rfkill net: rfkill: Correct return value in invalid parameter case 2024-06-26 10:49:01 +02:00
rose
rxrpc
sched sch/netem: fix use after free in netem_dequeue 2024-09-03 11:44:23 -07:00
sctp sctp: fix association labeling in the duplicate COOKIE-ECHO case 2024-08-27 16:07:12 -07:00
smc net/smc: prevent NULL pointer dereference in txopt_get 2024-08-30 13:26:12 +01:00
strparser
sunrpc rpcrdma: Trace connection registration and unregistration 2024-08-19 11:50:41 -04:00
switchdev
tipc A lot of networking people were at a conference last week, busy 2024-07-25 13:32:25 -07:00
tls net: tls: Pass union tls_crypto_context pointer to memzero_explicit 2024-07-09 11:14:47 -07:00
unix af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash 2024-07-17 22:49:00 +02:00
vmw_vsock vsock: fix recursive ->recvmsg calls 2024-08-15 12:07:04 +02:00
wireless wifi: cfg80211: correct S1G beacon length calculation 2024-07-26 12:32:47 +02:00
x25
xdp xsk: Require XDP_UMEM_TX_METADATA_LEN to actuate tx_metadata_len 2024-07-25 11:57:27 +02:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-07-15 13:19:17 -07:00
compat.c
devres.c
Kconfig ethtool: provide customized dim profile management 2024-06-25 17:15:06 -07:00
Kconfig.debug
Makefile
socket.c net: Split a __sys_listen helper for io_uring 2024-06-19 07:57:21 -06:00
sysctl_net.c sysctl: Remove check for sentinel element in ctl_table arrays 2024-06-13 10:50:52 +02:00