hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a1.2
sst-linux/net/sched
History
Lin Ma 21748669c5 net: fix geneve_opt length integer overflow 
[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ]

struct geneve_opt uses 5 bit length for each single option, which
means every vary size option should be smaller than 128 bytes.

However, all current related Netlink policies cannot promise this
length condition and the attacker can exploit a exact 128-byte size
option to *fake* a zero length option and confuse the parsing logic,
further achieve heap out-of-bounds read.

One example crash log is like below:

[    3.905425] ==================================================================
[    3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
[    3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
[    3.906646]
[    3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
[    3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[    3.907784] Call Trace:
[    3.907925]  <TASK>
[    3.908048]  dump_stack_lvl+0x44/0x5c
[    3.908258]  print_report+0x184/0x4be
[    3.909151]  kasan_report+0xc5/0x100
[    3.909539]  kasan_check_range+0xf3/0x1a0
[    3.909794]  memcpy+0x1f/0x60
[    3.909968]  nla_put+0xa9/0xe0
[    3.910147]  tunnel_key_dump+0x945/0xba0
[    3.911536]  tcf_action_dump_1+0x1c1/0x340
[    3.912436]  tcf_action_dump+0x101/0x180
[    3.912689]  tcf_exts_dump+0x164/0x1e0
[    3.912905]  fw_dump+0x18b/0x2d0
[    3.913483]  tcf_fill_node+0x2ee/0x460
[    3.914778]  tfilter_notify+0xf4/0x180
[    3.915208]  tc_new_tfilter+0xd51/0x10d0
[    3.918615]  rtnetlink_rcv_msg+0x4a2/0x560
[    3.919118]  netlink_rcv_skb+0xcd/0x200
[    3.919787]  netlink_unicast+0x395/0x530
[    3.921032]  netlink_sendmsg+0x3d0/0x6d0
[    3.921987]  __sock_sendmsg+0x99/0xa0
[    3.922220]  __sys_sendto+0x1b7/0x240
[    3.922682]  __x64_sys_sendto+0x72/0x90
[    3.922906]  do_syscall_64+0x5e/0x90
[    3.923814]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[    3.924122] RIP: 0033:0x7e83eab84407
[    3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[    3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[    3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
[    3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
[    3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
[    3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
[    3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8

Fix these issues by enforing correct length condition in related
policies.

Fixes: 925d844696 ("netfilter: nft_tunnel: add support for geneve opts")
Fixes: 4ece477870 ("lwtunnel: add options setting and dumping for geneve")
Fixes: 0ed5269f9e ("net/sched: add tunnel option support to act_tunnel_key")
Fixes: 0a6e77784f ("net/sched: allow flower to match tunnel options")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-04-10 14:33:41 +02:00
..
act_api.c net: use unrcu_pointer() helper 2024-12-14 19:53:33 +01:00
act_bpf.c
act_connmark.c
act_csum.c
act_ct.c sched: act_ct: take care of padding in struct zones_ht_key 2024-08-11 12:35:56 +02:00
act_ctinfo.c
act_gact.c
act_gate.c
act_ife.c
act_ipt.c
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c
act_mpls.c
act_nat.c
act_pedit.c
act_police.c
act_sample.c
act_simple.c
act_skbedit.c
act_skbmod.c net/sched: act_skbmod: prevent kernel-infoleak 2024-04-10 16:28:26 +02:00
act_tunnel_key.c net: fix geneve_opt length integer overflow 2025-04-10 14:33:41 +02:00
act_vlan.c
cls_api.c
cls_basic.c
cls_bpf.c
cls_cgroup.c
cls_flow.c net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute 2025-01-17 13:34:38 +01:00
cls_flower.c net: fix geneve_opt length integer overflow 2025-04-10 14:33:41 +02:00
cls_fw.c
cls_matchall.c
cls_route.c
cls_u32.c net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. 2024-11-22 15:37:30 +01:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c
em_nbyte.c
em_text.c
em_u32.c
ematch.c
Kconfig net/sched: Retire dsmark qdisc 2024-03-01 13:26:24 +01:00
Makefile net/sched: Retire dsmark qdisc 2024-03-01 13:26:24 +01:00
sch_api.c net_sched: Prevent creation of classes with TC_H_ROOT 2025-03-28 21:58:49 +01:00
sch_blackhole.c
sch_cake.c sched: sch_cake: add bounds checks to host bulk flow fairness counts 2025-01-17 13:34:40 +01:00
sch_cbs.c net/sched: cbs: Fix integer overflow in cbs_set_port_rate() 2024-12-14 19:54:40 +01:00
sch_choke.c net: sched: fix ordering of qlen adjustment 2024-12-27 13:52:51 +01:00
sch_codel.c
sch_drr.c
sch_etf.c
sch_ets.c net: sched: fix ets qdisc OOB Indexing 2025-02-01 18:30:09 +01:00
sch_fifo.c pfifo_tail_enqueue: Drop new packet when sch->limit == 0 2025-03-07 16:56:51 +01:00
sch_fq_codel.c
sch_fq_pie.c
sch_fq.c
sch_frag.c
sch_generic.c net: fix races in netdev_tx_sent_queue()/dev_watchdog() 2024-11-01 01:56:04 +01:00
sch_gred.c sched: address a potential NULL pointer dereference in the GRED scheduler. 2025-03-28 21:58:48 +01:00
sch_hfsc.c
sch_hhf.c
sch_htb.c net/sched: fix false lockdep warning on qdisc root lock 2024-06-27 13:46:15 +02:00
sch_ingress.c
sch_mq.c
sch_mqprio.c
sch_multiq.c net: sched: sch_multiq: fix possible OOB write in multiq_tune() 2024-06-21 14:35:33 +02:00
sch_netem.c netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() 2025-02-21 13:49:37 +01:00
sch_pie.c
sch_plug.c
sch_prio.c
sch_qfq.c
sch_red.c
sch_sfb.c
sch_sfq.c net_sched: sch_sfq: don't allow 1 packet limit 2025-02-21 13:48:58 +01:00
sch_skbprio.c net_sched: skbprio: Remove overly strict queue assertions 2025-04-10 14:33:40 +02:00
sch_taprio.c net/sched: taprio: extend minimum interval restriction to entire cycle too 2024-11-22 15:37:34 +01:00
sch_tbf.c net/sched: tbf: correct backlog statistic for GSO packets 2024-12-14 19:54:21 +01:00
sch_teql.c