Commit 0057728f authored Jun 23, 2024 by Hangyu Hua Committed by Zhengchao Shao Jun 23, 2024

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

stable inclusion
from stable-v6.6.35
commit 54c2c171c11a798fe887b3ff72922aa9d1411c1e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6R4J
CVE: CVE-2024-36978

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=54c2c171c11a798fe887b3ff72922aa9d1411c1e



--------------------------------

[ Upstream commit affc18fdc694190ca7575b9a86632a73b9fe043d ]

q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.

Fixes: c2999f7f ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Acked-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>

parent dc011b0f

net/sched/sch_multiq.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -185,7 +185,7 @@ static int multiq_tune(struct Qdisc sch, struct nlattr opt,

		qopt->bands = qdisc_dev(sch)->real_num_tx_queues;

		removed = kmalloc(sizeof(removed) (q->max_bands - q->bands),
		removed = kmalloc(sizeof(removed) (q->max_bands - qopt->bands),
		GFP_KERNEL);
		if (!removed)
		return -ENOMEM;