Re: [PATCH net v3 3/4] net/sched: sch_qfq: account for stab overhead in qfq_enqueue

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Simon Horman <simon.horman@corigine•com>
To: Pedro Tammela <pctammela@mojatatu•com>
Cc: netdev@vger•kernel.org, jhs@mojatatu•com,
	xiyou.wangcong@gmail•com, jiri@resnulli•us, davem@davemloft•net,
	edumazet@google•com, kuba@kernel•org, pabeni@redhat•com,
	shuah@kernel•org, shaozhengchao@huawei•com, victor@mojatatu•com,
	paolo.valente@unimore•it, Lion <nnamrec@gmail•com>
Subject: Re: [PATCH net v3 3/4] net/sched: sch_qfq: account for stab overhead in qfq_enqueue
Date: Thu, 13 Jul 2023 09:35:44 +0100	[thread overview]
Message-ID: <ZK+3YNwKySg9o6Uw@corigine.com> (raw)
In-Reply-To: <20230711210103.597831-4-pctammela@mojatatu.com>

On Tue, Jul 11, 2023 at 06:01:02PM -0300, Pedro Tammela wrote:
> Lion says:
> -------
> In the QFQ scheduler a similar issue to CVE-2023-31436
> persists.
> 
> Consider the following code in net/sched/sch_qfq.c:
> 
> static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
>                 struct sk_buff **to_free)
> {
>      unsigned int len = qdisc_pkt_len(skb), gso_segs;
> 
>     // ...
> 
>      if (unlikely(cl->agg->lmax < len)) {
>          pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
>               cl->agg->lmax, len, cl->common.classid);
>          err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
>          if (err) {
>              cl->qstats.drops++;
>              return qdisc_drop(skb, sch, to_free);
>          }
> 
>     // ...
> 
>      }
> 
> Similarly to CVE-2023-31436, "lmax" is increased without any bounds
> checks according to the packet length "len". Usually this would not
> impose a problem because packet sizes are naturally limited.
> 
> This is however not the actual packet length, rather the
> "qdisc_pkt_len(skb)" which might apply size transformations according to
> "struct qdisc_size_table" as created by "qdisc_get_stab()" in
> net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc.
> 
> A user may choose virtually any size using such a table.
> 
> As a result the same issue as in CVE-2023-31436 can occur, allowing heap
> out-of-bounds read / writes in the kmalloc-8192 cache.
> -------
> 
> We can create the issue with the following commands:
> 
> tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \
> overhead 999999999 linklayer ethernet qfq
> tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k
> tc filter add dev $DEV parent 1: matchall classid 1:1
> ping -I $DEV 1.1.1.2
> 
> This is caused by incorrectly assuming that qdisc_pkt_len() returns a
> length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX.
> 
> Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
> Reported-by: Lion <nnamrec@gmail•com>
> Reviewed-by: Eric Dumazet <edumazet@google•com>
> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu•com>
> Signed-off-by: Pedro Tammela <pctammela@mojatatu•com>

Reviewed-by: Simon Horman <simon.horman@corigine•com>

next prev parent reply	other threads:[~2023-07-13  8:36 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-11 21:00 [PATCH net v3 0/4] net/sched: fixes for sch_qfq Pedro Tammela
2023-07-11 21:01 ` [PATCH net v3 1/4] net/sched: sch_qfq: reintroduce lmax bound check for MTU Pedro Tammela
2023-07-13  8:31   ` Simon Horman
2023-07-11 21:01 ` [PATCH net v3 2/4] selftests: tc-testing: add tests for qfq mtu sanity check Pedro Tammela
2023-07-13  8:33   ` Simon Horman
2023-07-13  9:01   ` shaozhengchao
2023-07-11 21:01 ` [PATCH net v3 3/4] net/sched: sch_qfq: account for stab overhead in qfq_enqueue Pedro Tammela
2023-07-13  8:35   ` Simon Horman [this message]
2023-07-13  8:56   ` Paolo Abeni
2023-07-11 21:01 ` [PATCH net v3 4/4] selftests: tc-testing: add test for qfq with stab overhead Pedro Tammela
2023-07-13  8:36   ` Simon Horman
2023-07-13  9:05   ` shaozhengchao
2023-07-13  9:50 ` [PATCH net v3 0/4] net/sched: fixes for sch_qfq patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZK+3YNwKySg9o6Uw@corigine.com \
    --to=simon.horman@corigine$(echo .)com \
    --cc=davem@davemloft$(echo .)net \
    --cc=edumazet@google$(echo .)com \
    --cc=jhs@mojatatu$(echo .)com \
    --cc=jiri@resnulli$(echo .)us \
    --cc=kuba@kernel$(echo .)org \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=nnamrec@gmail$(echo .)com \
    --cc=pabeni@redhat$(echo .)com \
    --cc=paolo.valente@unimore$(echo .)it \
    --cc=pctammela@mojatatu$(echo .)com \
    --cc=shaozhengchao@huawei$(echo .)com \
    --cc=shuah@kernel$(echo .)org \
    --cc=victor@mojatatu$(echo .)com \
    --cc=xiyou.wangcong@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox