Commit f32241c5 authored Oct 14, 2024 by Vladimir Oltean Committed by Dong Chenchen Oct 14, 2024

net/sched: taprio: extend minimum interval restriction to entire cycle too

mainline inclusion
from mainline-v6.10-rc2
commit fb66df20a7201e60f2b13d7f95d031b31a8831d3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D5O
CVE: CVE-2024-36244

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb66df20a7201e60f2b13d7f95d031b31a8831d3



--------------------------------

It is possible for syzbot to side-step the restriction imposed by the
blamed commit in the Fixes: tag, because the taprio UAPI permits a
cycle-time different from (and potentially shorter than) the sum of
entry intervals.

We need one more restriction, which is that the cycle time itself must
be larger than N * ETH_ZLEN bit times, where N is the number of schedule
entries. This restriction needs to apply regardless of whether the cycle
time came from the user or was the implicit, auto-calculated value, so
we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)"
branch. This way covers both conditions and scenarios.

Add a selftest which illustrates the issue triggered by syzbot.

Fixes: b5b73b26 ("taprio: Fix allowing too small intervals")
Reported-by:  <syzbot+a7d2b1d5d1af83035567@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/netdev/0000000000007d66bc06196e7c66@google.com/


Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://lore.kernel.org/r/20240527153955.553333-2-vladimir.oltean@nxp.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Conflicts:
	net/sched/sch_taprio.c
	tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json
[commit a306a90c add taprio_calculate_gate_durations() to calculate tc
gate durations, which wasnt merged lead to conflicts.commit 8a3b3667
("selftests/tc-testing: add selftests for taprio qdisc") that add taprio.json
wasnt merged]
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent 79953589

net/sched/sch_taprio.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -913,11 +913,6 @@ static int parse_taprio_schedule(struct taprio_sched q, struct nlattr *tb,
		list_for_each_entry(entry, &new->entries, list)
		cycle = ktime_add_ns(cycle, entry->interval);

		if (!cycle) {
		NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0");
		return -EINVAL;
		}

		if (cycle < 0 \|\| cycle > INT_MAX) {
		NL_SET_ERR_MSG(extack, "'cycle_time' is too big");
		return -EINVAL;
		@@ -926,6 +921,11 @@ static int parse_taprio_schedule(struct taprio_sched q, struct nlattr *tb,
		new->cycle_time = cycle;
		}

		if (new->cycle_time < new->num_entries * length_to_duration(q, ETH_ZLEN)) {
		NL_SET_ERR_MSG(extack, "'cycle_time' is too small");
		return -EINVAL;
		}

		return 0;
		}