git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Victor Nogueira <victor@mojatatu.com>
	Fri, 25 Apr 2025 22:07:06 +0000 (19:07 -0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 9 May 2025 07:41:40 +0000 (09:41 +0200)
commit	8df7d37d626430035b413b97cee18396b3450bef
tree	28ddeaffb8b96b6fcc06543e8963bc14c2c00d3e	tree
parent	4f0ecf50cdf76da95828578a92f130b653ac2fcf	commit \| diff

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

[ Upstream commit 141d34391abbb315d68556b7c67ad97885407547 ]

As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).

This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.

[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Fixes: 37d9cf1a3ce3 ("sched: Fix detection of empty queues in child qdiscs")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20250425220710.3964791-3-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>