| Message ID | 1630295221-9859-1-git-send-email-tcs_kernel@tencent.com |
|---|---|
| State | New |
| Headers | show |
| Series | [V2] fix array-index-out-of-bounds in taprio_change | expand |
On Mon, Aug 30, 2021 at 10:14 AM Jakub Kicinski <kuba@kernel.org> wrote: > > On Mon, 30 Aug 2021 11:30:06 +0000 patchwork-bot+netdevbpf@kernel.org > wrote: > > Hello: > > > > This patch was applied to netdev/net-next.git (refs/heads/master): > > > > On Mon, 30 Aug 2021 11:47:01 +0800 you wrote: > > > From: Haimin Zhang <tcs_kernel@tencent.com> > > > > > > syzbot report an array-index-out-of-bounds in taprio_change > > > index 16 is out of range for type '__u16 [16]' > > > that's because mqprio->num_tc is lager than TC_MAX_QUEUE,so we check > > > the return value of netdev_set_num_tc. > > > > > > [...] > > > > Here is the summary with links: > > - [V2] fix array-index-out-of-bounds in taprio_change > > https://git.kernel.org/netdev/net-next/c/efe487fce306 > > > > You are awesome, thank you! > > https://lore.kernel.org/netdev/20210830091046.610ceb1b@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com/ > > Oh, well... I agree it is slightly better to make the check work in taprio_parse_mqprio_opt(), but this patch is not bad either, we need to check the return value of netdev_set_num_tc() for completeness at least. BTW, this patch should be landed in -net, not -net-next, as it fixes a real bug reported by syzbot. Thanks.
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index 9c79374..1ab2fc9 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -1513,7 +1513,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, taprio_set_picos_per_byte(dev, q); if (mqprio) { - netdev_set_num_tc(dev, mqprio->num_tc); + err = netdev_set_num_tc(dev, mqprio->num_tc); + if (err) + goto free_sched; for (i = 0; i < mqprio->num_tc; i++) netdev_set_tc_queue(dev, i, mqprio->count[i],