redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/net/sched
History
Eric Dumazet b778940f2a net_sched: reject silly cell_log in qdisc_get_rtab() 
commit e4bedf48aa upstream.

iproute2 probably never goes beyond 8 for the cell exponent,
but stick to the max shift exponent for signed 32bit.

UBSAN reported:
UBSAN: shift-out-of-bounds in net/sched/sch_api.c:389:22
shift exponent 130 is too large for 32-bit type 'int'
CPU: 1 PID: 8450 Comm: syz-executor586 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x183/0x22e lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:148 [inline]
 __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
 __detect_linklayer+0x2a9/0x330 net/sched/sch_api.c:389
 qdisc_get_rtab+0x2b5/0x410 net/sched/sch_api.c:435
 cbq_init+0x28f/0x12c0 net/sched/sch_cbq.c:1180
 qdisc_create+0x801/0x1470 net/sched/sch_api.c:1246
 tc_modify_qdisc+0x9e3/0x1fc0 net/sched/sch_api.c:1662
 rtnetlink_rcv_msg+0xb1d/0xe60 net/core/rtnetlink.c:5564
 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 ____sys_sendmsg+0x5a2/0x900 net/socket.c:2345
 ___sys_sendmsg net/socket.c:2399 [inline]
 __sys_sendmsg+0x319/0x400 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Cong Wang <cong.wang@bytedance.com>
Link: https://lore.kernel.org/r/20210114160637.1660597-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2021-01-27 11:47:54 +01:00
..
Kconfig net/sched: Set default of CONFIG_NET_TC_SKB_EXT to N 2019-09-27 20:08:28 +02:00
Makefile net/sched: Introduce action ct 2019-07-09 12:11:59 -07:00
act_api.c net_sched: remove a redundant goto chain check 2020-10-29 09:57:24 +01:00
act_bpf.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_connmark.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_csum.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_ct.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_ctinfo.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_gact.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_ife.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_ipt.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_meta_mark.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
act_meta_skbprio.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
act_meta_skbtcindex.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
act_mirred.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_mpls.c net/sched: act_mpls: ensure LSE is pullable before reading it 2020-12-08 10:40:27 +01:00
act_nat.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_pedit.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_police.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_sample.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_simple.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_skbedit.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_skbmod.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_tunnel_key.c net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels 2020-10-29 09:57:26 +01:00
act_vlan.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
cls_api.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
cls_basic.c net_sched: fix ops->bind_class() implementations 2020-02-01 09:34:38 +00:00
cls_bpf.c net_sched: fix ops->bind_class() implementations 2020-02-01 09:34:38 +00:00
cls_cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cls_flow.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
cls_flower.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
cls_fw.c net_sched: fix ops->bind_class() implementations 2020-02-01 09:34:38 +00:00
cls_matchall.c net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS 2020-02-24 08:36:22 +01:00
cls_route.c net_sched: cls_route: remove the right filter from hashtable 2020-04-01 11:01:36 +02:00
cls_rsvp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cls_rsvp.h cls_rsvp: fix rsvp_policy 2020-02-11 04:35:03 -08:00
cls_rsvp6.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cls_tcindex.c net_sched: avoid shift-out-of-bounds in tcindex_set_parms() 2021-01-27 11:47:54 +01:00
cls_u32.c net_sched: fix ops->bind_class() implementations 2020-02-01 09:34:38 +00:00
em_canid.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 11 2019-05-21 11:28:45 +02:00
em_cmp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
em_ipset.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
em_ipt.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
em_meta.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
em_nbyte.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
em_text.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
em_u32.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ematch.c net_sched: ematch: reject invalid TCF_EM_SIMPLE 2020-02-01 09:34:38 +00:00
sch_api.c net_sched: reject silly cell_log in qdisc_get_rtab() 2021-01-27 11:47:54 +01:00
sch_atm.c net_sched: fix a memory leak in atm_tc_init() 2020-07-22 09:32:48 +02:00
sch_blackhole.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sch_cake.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
sch_cbq.c sch_cbq: validate TCA_CBQ_WRROPT to avoid crash 2019-09-30 11:07:46 -07:00
sch_cbs.c net: cbs: Fix software cbs to consider packet sending time 2020-04-01 11:01:33 +02:00
sch_choke.c net: sched: prevent invalid Scell_log shift count 2021-01-12 20:16:14 +01:00
sch_codel.c net: sched: Fix a possible null-pointer dereference in dequeue_func() 2019-07-29 09:46:58 -07:00
sch_drr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
sch_dsmark.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
sch_etf.c sched: etf: do not assume all sockets are full blown 2020-04-29 16:33:09 +02:00
sch_fifo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sch_fq.c net: fq: add missing attribute validation for orphan mask 2020-03-18 07:17:45 +01:00
sch_fq_codel.c fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks 2020-05-14 07:58:20 +02:00
sch_generic.c net: sch_generic: fix the missing new qdisc assignment bug 2020-11-18 19:20:33 +01:00
sch_gred.c net: sched: prevent invalid Scell_log shift count 2021-01-12 20:16:14 +01:00
sch_hfsc.c netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
sch_hhf.c net/flow_dissector: switch to siphash 2019-10-23 20:13:22 -07:00
sch_htb.c net: sched: sch_htb: don't call qdisc_put() while holding tree lock 2019-09-27 12:13:55 +02:00
sch_ingress.c net: flow_offload: rename TCF_BLOCK_BINDER_TYPE_* to FLOW_BLOCK_BINDER_TYPE_* 2019-07-09 14:38:50 -07:00
sch_mq.c net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues 2019-12-18 16:08:24 +01:00
sch_mqprio.c net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues 2019-12-18 16:08:24 +01:00
sch_multiq.c net: sched: fix `tc -s class show` no bstats on class with nolock subqueues 2019-12-04 22:30:54 +01:00
sch_netem.c netem: fix zero division in tabledist 2020-11-01 12:01:03 +01:00
sch_pie.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 235 2019-06-19 17:09:07 +02:00
sch_plug.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sch_prio.c net: sch_prio: When ungrafting, replace with FIFO 2020-01-12 12:21:49 +01:00
sch_qfq.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
sch_red.c net: sched: prevent invalid Scell_log shift count 2021-01-12 20:16:14 +01:00
sch_sfb.c net/flow_dissector: switch to siphash 2019-10-23 20:13:22 -07:00
sch_sfq.c net: sched: prevent invalid Scell_log shift count 2021-01-12 20:16:14 +01:00
sch_skbprio.c net_sched: sch_skbprio: add message validation to skbprio_change() 2020-05-14 07:58:21 +02:00
sch_taprio.c net/sched: sch_taprio: ensure to reset/destroy all child qdiscs 2021-01-12 20:16:16 +01:00
sch_tbf.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sch_teql.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00