REJECT: [SRU Mantic] net/sched: sch_hfsc: Ensure inner classes have fsc curve

Stefan Bader stefan.bader at canonical.com
Fri Sep 29 10:58:21 UTC 2023 

On 14.09.23 20:54, Thadeu Lima de Souza Cascardo wrote:
> From: Budimir Markovic <markovicbudimir at gmail.com>
> 
> HFSC assumes that inner classes have an fsc curve, but it is currently
> possible for classes without an fsc curve to become parents. This leads
> to bugs including a use-after-free.
> 
> Don't allow non-root classes without HFSC_FSC to become parents.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Budimir Markovic <markovicbudimir at gmail.com>
> Signed-off-by: Budimir Markovic <markovicbudimir at gmail.com>
> Acked-by: Jamal Hadi Salim <jhs at mojatatu.com>
> Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> (cherry picked from commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f)
> CVE-2023-4623
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>

This was already applied to mantic and included in Ubuntu-6.5.0-6.6 
(-proposed).

> ---
>   net/sched/sch_hfsc.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
> index 70b0c5873d32..61d52594ff6d 100644
> --- a/net/sched/sch_hfsc.c
> +++ b/net/sched/sch_hfsc.c
> @@ -1012,6 +1012,10 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
>   		if (parent == NULL)
>   			return -ENOENT;
>   	}
> +	if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) {
> +		NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC");
> +		return -EINVAL;
> +	}
>   
>   	if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
>   		return -EINVAL;

-- 
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230929/5c44b44f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230929/5c44b44f/attachment-0001.sig>

More information about the kernel-team mailing list