diff mbox

[PATCH/hardy] net_sched: Fix qdisc_notify() - CVE-2011-2525

Message ID 1318251968-25688-3-git-send-email-paolo.pisati@canonical.com
State New
Headers show

Commit Message

Paolo Pisati Oct. 10, 2011, 1:06 p.m. UTC 
Ben Pfaff reported a kernel oops and provided a test program to
reproduce it.

https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805

tc_fill_qdisc() should not be called for builtin qdisc, or it
dereference a NULL pointer to get device ifindex.

Fix is to always use tc_qdisc_dump_ignore() before calling
tc_fill_qdisc().

BugLink: http://bugs.launchpad.net/bugs/869250

Reported-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
---
 net/sched/sch_api.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)
diff mbox

Patch

diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 8f3edce..fccfe3a 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -843,6 +843,11 @@  rtattr_failure:
 	return -1;
 }
 
+static bool tc_qdisc_dump_ignore(struct Qdisc *q)
+{
+	return (q->flags & TCQ_F_BUILTIN) ? true : false;
+}
+
 static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
 			u32 clid, struct Qdisc *old, struct Qdisc *new)
 {
@@ -853,11 +858,11 @@  static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
 	if (!skb)
 		return -ENOBUFS;
 
-	if (old && old->handle) {
+	if (old && !tc_qdisc_dump_ignore(old)) {
 		if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
 			goto err_out;
 	}
-	if (new) {
+	if (new && !tc_qdisc_dump_ignore(new)) {
 		if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
 			goto err_out;
 	}