Unverified Commit 5c1bf1ba authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!12179 net/sched: Fix CVE-2024-36244 

Merge Pull Request from: @ci-robot 
 
PR sync from: Dong Chenchen <dongchenchen2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6WFCC7XDJ2LSTKGH72G6PZ36WZQALBGR/ 
Fix CVE-2024-36244

Kuniyuki Iwashima (1):
  net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.

Vladimir Oltean (1):
  net/sched: taprio: extend minimum interval restriction to entire cycle
    too


-- 
2.25.1
 
https://gitee.com/src-openeuler/kernel/issues/IA7D5O 
 
Link:https://gitee.com/openeuler/kernel/pulls/12179

 

Reviewed-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 40435f77 f32241c5

net/sched/sch_taprio.c

+15 −4
Original line number Diff line number Diff line
@@ -769,6 +769,11 @@ static const struct nla_policy entry_policy[TCA_TAPRIO_SCHED_ENTRY_MAX + 1] = { 
	[TCA_TAPRIO_SCHED_ENTRY_INTERVAL]  = { .type = NLA_U32 },

};



static struct netlink_range_validation_signed taprio_cycle_time_range = {

	.min = 0,

	.max = INT_MAX,

};



static const struct nla_policy taprio_policy[TCA_TAPRIO_ATTR_MAX + 1] = {

	[TCA_TAPRIO_ATTR_PRIOMAP]	       = {

		.len = sizeof(struct tc_mqprio_qopt)
@@ -777,7 +782,8 @@ static const struct nla_policy taprio_policy[TCA_TAPRIO_ATTR_MAX + 1] = { 
	[TCA_TAPRIO_ATTR_SCHED_BASE_TIME]            = { .type = NLA_S64 },

	[TCA_TAPRIO_ATTR_SCHED_SINGLE_ENTRY]         = { .type = NLA_NESTED },

	[TCA_TAPRIO_ATTR_SCHED_CLOCKID]              = { .type = NLA_S32 },

	[TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME]           = { .type = NLA_S64 },

	[TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME]           =

		NLA_POLICY_FULL_RANGE_SIGNED(NLA_S64, &taprio_cycle_time_range),

	[TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME_EXTENSION] = { .type = NLA_S64 },

	[TCA_TAPRIO_ATTR_FLAGS]                      = { .type = NLA_U32 },

	[TCA_TAPRIO_ATTR_TXTIME_DELAY]		     = { .type = NLA_U32 },
@@ -907,14 +913,19 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, 
		list_for_each_entry(entry, &new->entries, list)

			cycle = ktime_add_ns(cycle, entry->interval);



		if (!cycle) {

			NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0");

		if (cycle < 0 || cycle > INT_MAX) {

			NL_SET_ERR_MSG(extack, "'cycle_time' is too big");

			return -EINVAL;

		}



		new->cycle_time = cycle;

	}



	if (new->cycle_time < new->num_entries * length_to_duration(q, ETH_ZLEN)) {

		NL_SET_ERR_MSG(extack, "'cycle_time' is too small");

		return -EINVAL;

	}



	return 0;

}
@@ -1113,7 +1124,7 @@ static void setup_txtime(struct taprio_sched *q, 
			 struct sched_gate_list *sched, ktime_t base)

{

	struct sched_entry *entry;

	u32 interval = 0;

	u64 interval = 0;



	list_for_each_entry(entry, &sched->entries, list) {

		entry->next_txtime = ktime_add_ns(base, interval);