In the Linux kernel, the following vulnerability has been resolved:
net/sched: fq_pie: fix OOB access in the traffic path
the following script:
# tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2 # tc qdisc add dev eth0 clsact # tc filter add dev eth0 egress matchall action skbedit priority 0x10002 # ping 192.0.2.2 -I eth0 -c2 -w1 -q
produces the following splat:
BUG: KASAN: slab-out-of-bounds in fqpieqdiscenqueue+0x1314/0x19d0 [schfq_pie] Read of size 4 at addr ffff888171306924 by task ping/942
CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dumpstack+0x92/0xc1 printaddressdescription.constprop.7+0x1a/0x150 kasanreport.cold.13+0x7f/0x111 fqpieqdiscenqueue+0x1314/0x19d0 [schfqpie] _devqueuexmit+0x1034/0x2b10 ipfinishoutput2+0xc62/0x2120 _ipfinishoutput+0x553/0xea0 ipoutput+0x1ca/0x4d0 ipsendskb+0x37/0xa0 rawsendmsg+0x1c4b/0x2d00 socksendmsg+0xdb/0x110 _syssendto+0x1d7/0x2b0 _x64syssendto+0xdd/0x1b0 dosyscall64+0x3c/0x80 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7fe69735c3eb Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89 RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIGRAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003 RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260 R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0
Allocated by task 917: kasansavestack+0x19/0x40 kasankmalloc+0x7f/0xa0 _kmallocnode+0x139/0x280 fqpieinit+0x555/0x8e8 [schfqpie] qdisccreate+0x407/0x11b0 tcmodifyqdisc+0x3c2/0x17e0 rtnetlinkrcvmsg+0x346/0x8e0 netlinkrcvskb+0x120/0x380 netlinkunicast+0x439/0x630 netlinksendmsg+0x719/0xbf0 socksendmsg+0xe2/0x110 _syssendmsg+0x5ba/0x890 _syssendmsg+0xe9/0x160 _syssendmsg+0xd3/0x170 dosyscall64+0x3c/0x80 entrySYSCALL64afterhwframe+0x44/0xae
The buggy address belongs to the object at ffff888171306800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 36 bytes to the right of 256-byte region [ffff888171306800, ffff888171306900) The buggy address belongs to the page: page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306 head:00000000bcfb624e order:1 compound_mapcount:0 flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fix fqpie traffic path to avoid selecting 'q->flows + q->flowscnt' as a valid flow: it's an address beyond the allocated memory.