Commit 9f104c77 authored Dec 06, 2019 by Vladyslav Tarasiuk Committed by David S. Miller Dec 06, 2019

mqprio: Fix out-of-bounds access in mqprio_dump



When user runs a command like
tc qdisc add dev eth1 root mqprio
KASAN stack-out-of-bounds warning is emitted.
Currently, NLA_ALIGN macro used in mqprio_dump provides too large
buffer size as argument for nla_put and memcpy down the call stack.
The flow looks like this:
1. nla_put expects exact object size as an argument;
2. Later it provides this size to memcpy;
3. To calculate correct padding for SKB, nla_put applies NLA_ALIGN
   macro itself.

Therefore, NLA_ALIGN should not be applied to the nla_put parameter.
Otherwise it will lead to out-of-bounds memory access in memcpy.

Fixes: 4e8b86c0 ("mqprio: Introduce new hardware offload mode and shaper in mqprio")
Signed-off-by: Vladyslav Tarasiuk <vladyslavt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent f421031e

net/sched/sch_mqprio.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -434,7 +434,7 @@ static int mqprio_dump(struct Qdisc sch, struct sk_buff skb)
		opt.offset[tc] = dev->tc_to_txq[tc].offset;
		}

		if (nla_put(skb, TCA_OPTIONS, NLA_ALIGN(sizeof(opt)), &opt))
		if (nla_put(skb, TCA_OPTIONS, sizeof(opt), &opt))
		goto nla_put_failure;

		if ((priv->flags & TC_MQPRIO_F_MODE) &&

Admin message