|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-4921: kernel: use-after-free in net/sched: sch_qfq component | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexander Bergmann <abergmann> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | abergmann, denis.kirjanov, marco.crivellari, mbenes, meissner, miroslav.franc, mkubecek, mpdesouza, pmladek, rfrohl, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/378087/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-4921:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1215300 | ||
|
Description
Alexander Bergmann
2023-09-13 06:45:18 UTC
Reproducer: When the plug qdisc is used as a class of the qfq qdisc it could trigger a UAF. This issue can be reproduced with following commands: tc qdisc add dev lo root handle 1: qfq tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 tc qdisc add dev lo parent 1:1 handle 2: plug tc filter add dev lo parent 1: basic classid 1:1 ping -c1 127.0.0.1 As always, if the module is not loaded, there is no way to exploit this issue. A valid workaround would be to prevent sch_qfq from being loaded at all: # echo "install sch_qfq /bin/true" >> /etc/modprobe.d/00-no-module-load.conf Keep in mind that kernel modules can also be loaded within the initrd. So it makes sense to rebuild the initial RAM disks after such configuration changes. All code-streams except of <=SLE-11-SP4 are affected. Denis, could you please take care of this one? ping? SUSE-SU-2023:4031-1: An update that solves 13 vulnerabilities, contains one feature and has 39 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1109837, 1152446, 1154048, 1207168, 1208995, 1210169, 1212703, 1213016, 1214157, 1214380, 1214386, 1214586, 1214940, 1214943, 1214945, 1214946, 1214948, 1214949, 1214950, 1214952, 1214953, 1214961, 1214962, 1214964, 1214965, 1214966, 1214967, 1215115, 1215117, 1215121, 1215122, 1215136, 1215149, 1215152, 1215162, 1215164, 1215165, 1215207, 1215221, 1215275, 1215299, 1215467, 1215607, 1215634, 1215858, 1215860, 1215861, 1215877, 1215897, 1215898, 1215954 CVE References: CVE-2020-36766, CVE-2023-0394, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Jira References: PED-5021 Sources used: SUSE Linux Enterprise Live Patching 12-SP5 (src): kgraft-patch-SLE12-SP5_Update_49-1-8.3.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): kernel-obs-build-4.12.14-122.179.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): kernel-source-4.12.14-122.179.1, kernel-syms-4.12.14-122.179.1 SUSE Linux Enterprise Server 12 SP5 (src): kernel-source-4.12.14-122.179.1, kernel-syms-4.12.14-122.179.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): kernel-source-4.12.14-122.179.1, kernel-syms-4.12.14-122.179.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4030-1: An update that solves 13 vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1207036, 1208995, 1210169, 1210643, 1212703, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-23454, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Live Patching 15-SP2 (src): kernel-livepatch-SLE15-SP2_Update_41-1-150200.5.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4033-1: An update that solves 12 vulnerabilities and has 39 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1109837, 1152446, 1154048, 1208995, 1210169, 1212703, 1213016, 1214157, 1214380, 1214386, 1214586, 1214940, 1214943, 1214945, 1214946, 1214948, 1214949, 1214950, 1214952, 1214953, 1214961, 1214962, 1214964, 1214965, 1214966, 1214967, 1215115, 1215117, 1215121, 1215122, 1215136, 1215149, 1215152, 1215162, 1215164, 1215165, 1215207, 1215221, 1215275, 1215299, 1215467, 1215607, 1215634, 1215858, 1215860, 1215861, 1215877, 1215897, 1215898, 1215954 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Real Time 12 SP5 (src): kernel-syms-rt-4.12.14-10.144.1, kernel-source-rt-4.12.14-10.144.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4058-1: An update that solves 18 vulnerabilities, contains three features and has 71 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1152472, 1187236, 1201284, 1202845, 1206453, 1208995, 1210169, 1210643, 1210658, 1212639, 1212703, 1213123, 1213534, 1213808, 1214022, 1214037, 1214040, 1214233, 1214351, 1214479, 1214543, 1214635, 1214813, 1214873, 1214928, 1214940, 1214941, 1214942, 1214943, 1214944, 1214945, 1214946, 1214947, 1214948, 1214949, 1214950, 1214951, 1214952, 1214953, 1214954, 1214955, 1214957, 1214958, 1214959, 1214961, 1214962, 1214963, 1214964, 1214965, 1214966, 1214967, 1214986, 1214988, 1214990, 1214991, 1214992, 1214993, 1214995, 1214997, 1214998, 1215115, 1215117, 1215123, 1215124, 1215148, 1215150, 1215221, 1215275, 1215322, 1215467, 1215523, 1215581, 1215752, 1215858, 1215860, 1215861, 1215875, 1215877, 1215894, 1215895, 1215896, 1215899, 1215911, 1215915, 1215916, 1215941, 1215956, 1215957 CVE References: CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-37453, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-4155, CVE-2023-42753, CVE-2023-42754, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5345 Jira References: PED-1549, PED-2023, PED-2025 Sources used: openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4095-1: An update that solves 14 vulnerabilities and has eight security fixes can now be installed. Category: security (important) Bug References: 1176588, 1202845, 1207036, 1207270, 1208995, 1210169, 1210643, 1210658, 1212703, 1213812, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299, 1215322, 1215356 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-23454, CVE-2023-4004, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_37-1-150300.7.5.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Manager Proxy 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Manager Retail Branch Server 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Manager Server 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Enterprise Storage 7.1 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. (In reply to Alexander Bergmann from comment #1) > Reproducer: > > When the plug qdisc is used as a class of the qfq qdisc it could trigger a > UAF. This issue can be reproduced with following commands: > > tc qdisc add dev lo root handle 1: qfq > tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 > tc qdisc add dev lo parent 1:1 handle 2: plug > tc filter add dev lo parent 1: basic classid 1:1 > ping -c1 127.0.0.1 Using this reproducer, the UAF is gone, but there is a WARNING being triggered: + tc qdisc add dev lo root handle 1: qfq + tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 + tc qdisc add dev lo parent 1:1 handle 2: plug + tc filter add dev lo parent 1: basic classid 1:1 + ping -c1 127.0.0.1 [ 14.697977] NET: Registered PF_INET6 protocol family [ 14.701290] Segment Routing with IPv6 [ 14.701503] In-situ OAM (IOAM) with IPv6 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. [ 14.708208] ------------[ cut here ]------------ [ 14.708407] qfq_dequeue: non-workconserving leaf [ 14.708669] WARNING: CPU: 4 PID: 169 at net/sched/sch_qfq.c:1006 qfq_dequeue+0x6f1/0x700 [sch_qfq] [ 14.709018] Modules linked in: ipv6 cls_basic sch_plug sch_qfq [ 14.709231] CPU: 4 PID: 169 Comm: ping Not tainted 6.6.0-rc6+ #24 [ 14.709458] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 14.709659] RIP: 0010:qfq_dequeue+0x6f1/0x700 [sch_qfq] [ 14.709846] Code: ff 48 8b 7c 24 18 e8 7e 2a 50 e5 83 85 e8 00 00 00 01 e9 b9 fc ff ff 48 c7 c7 00 03 33 c0 c6 05 74 62 00 00 01 e 8 2f 3c 0c e5 <0f> 0b e9 1e fb ff ff 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 [ 14.710484] RSP: 0018:ffff88810f79f558 EFLAGS: 00010286 Is this expected? I can reproduce it with the current Linus tree (6.6rc6). While creating the livepatch this problem I had to touch some functions that call qdisc->ops->peek on sch_qfq.c to call qdisc_peek_dequeued if the qdisc->ops was from sch_plug.c, something like below:
static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg,
struct qfq_class **cl,
unsigned int *len)
{
struct sk_buff *skb;
*cl = list_first_entry(&agg->active, struct qfq_class, alist);
if ((*cl)->qdisc->ops == klpe_plug_qdisc_ops)
skb = qdisc_peek_dequeued((*cl)->qdisc);
else
skb = (*cl)->qdisc->ops->peek((*cl)->qdisc);
(klpe_plug_qdisc_ops comes from kallsyms_lookup)
to replicate the upstream solution (we cannot livepatch sch_plug's plug_qdisc_ops, and qdisc_peek_head is defined as inline, so notrace is set for the function).
In this case, if I don;t touch this functions, leaving ->peek call qdisc_peek_head when plug is used, the WARNING is gone. I don't if this could cause other problems.
It's just my 2 cents considering that the code now triggers a warning since the qdisc_peek_dequeued returns NULL in this situation.
SUSE-SU-2023:4142-1: An update that solves 13 vulnerabilities and has eight security fixes can now be installed. Category: security (important) Bug References: 1176588, 1202845, 1207270, 1208995, 1210169, 1210643, 1210658, 1212703, 1213812, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299, 1215322, 1215356 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-4004, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4347-1: An update that solves 17 vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1208995, 1210169, 1210778, 1212703, 1214233, 1214380, 1214386, 1215115, 1215117, 1215221, 1215275, 1215299, 1215467, 1215745, 1215858, 1215860, 1215861, 1216046, 1216051 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-31085, CVE-2023-34324, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-42754, CVE-2023-45862, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Live Patching 15-SP1 (src): kernel-livepatch-SLE15-SP1_Update_45-1-150100.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 SUSE CaaS Platform 4.0 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. (In reply to Marcos de Souza from comment #35) > While creating the livepatch this problem I had to touch some functions that > call qdisc->ops->peek on sch_qfq.c to call qdisc_peek_dequeued if the > qdisc->ops was from sch_plug.c, something like below: > > static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, > struct qfq_class **cl, > unsigned int *len) > { > struct sk_buff *skb; > > *cl = list_first_entry(&agg->active, struct qfq_class, alist); > > if ((*cl)->qdisc->ops == klpe_plug_qdisc_ops) > > skb = qdisc_peek_dequeued((*cl)->qdisc); > else > skb = (*cl)->qdisc->ops->peek((*cl)->qdisc); > > (klpe_plug_qdisc_ops comes from kallsyms_lookup) > > to replicate the upstream solution (we cannot livepatch sch_plug's > plug_qdisc_ops, and qdisc_peek_head is defined as inline, so notrace is set > for the function). > > In this case, if I don;t touch this functions, leaving ->peek call > qdisc_peek_head when plug is used, the WARNING is gone. I don't if this > could cause other problems. > > It's just my 2 cents considering that the code now triggers a warning since > the qdisc_peek_dequeued returns NULL in this situation. I think this warning - "qfq_dequeue: non-workconserving leaf" is expected. The difference is that after the patch you can't just have a null pointer to skb and have the warning instead (In reply to Denis Kirjanov from comment #47) > (In reply to Marcos de Souza from comment #35) > > While creating the livepatch this problem I had to touch some functions that > > call qdisc->ops->peek on sch_qfq.c to call qdisc_peek_dequeued if the > > qdisc->ops was from sch_plug.c, something like below: > > > > static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, > > struct qfq_class **cl, > > unsigned int *len) > > { > > struct sk_buff *skb; > > > > *cl = list_first_entry(&agg->active, struct qfq_class, alist); > > > > if ((*cl)->qdisc->ops == klpe_plug_qdisc_ops) > > > > skb = qdisc_peek_dequeued((*cl)->qdisc); > > else > > skb = (*cl)->qdisc->ops->peek((*cl)->qdisc); > > > > (klpe_plug_qdisc_ops comes from kallsyms_lookup) > > > > to replicate the upstream solution (we cannot livepatch sch_plug's > > plug_qdisc_ops, and qdisc_peek_head is defined as inline, so notrace is set > > for the function). > > > > In this case, if I don;t touch this functions, leaving ->peek call > > qdisc_peek_head when plug is used, the WARNING is gone. I don't if this > > could cause other problems. > > > > It's just my 2 cents considering that the code now triggers a warning since > > the qdisc_peek_dequeued returns NULL in this situation. > > I think this warning - "qfq_dequeue: non-workconserving leaf" is expected. > The difference is that after the patch you can't just have a null pointer to > skb and have the warning instead A similar discussion was happening on bug 1212971. Leaving a warning in place can create a DoS easily exploitable if panic_on_warn is set. I'm not a networking expert, but wouldn't it be difficult to solve? Or maybe follow a different direction here? Thanks Denis! (In reply to Marcos de Souza from comment #48) > (In reply to Denis Kirjanov from comment #47) > > (In reply to Marcos de Souza from comment #35) > > > While creating the livepatch this problem I had to touch some functions that > > > call qdisc->ops->peek on sch_qfq.c to call qdisc_peek_dequeued if the > > > qdisc->ops was from sch_plug.c, something like below: > > > > > > static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, > > > struct qfq_class **cl, > > > unsigned int *len) > > > { > > > struct sk_buff *skb; > > > > > > *cl = list_first_entry(&agg->active, struct qfq_class, alist); > > > > > > if ((*cl)->qdisc->ops == klpe_plug_qdisc_ops) > > > > > > skb = qdisc_peek_dequeued((*cl)->qdisc); > > > else > > > skb = (*cl)->qdisc->ops->peek((*cl)->qdisc); > > > > > > (klpe_plug_qdisc_ops comes from kallsyms_lookup) > > > > > > to replicate the upstream solution (we cannot livepatch sch_plug's > > > plug_qdisc_ops, and qdisc_peek_head is defined as inline, so notrace is set > > > for the function). > > > > > > In this case, if I don;t touch this functions, leaving ->peek call > > > qdisc_peek_head when plug is used, the WARNING is gone. I don't if this > > > could cause other problems. > > > > > > It's just my 2 cents considering that the code now triggers a warning since > > > the qdisc_peek_dequeued returns NULL in this situation. > > > > I think this warning - "qfq_dequeue: non-workconserving leaf" is expected. > > The difference is that after the patch you can't just have a null pointer to > > skb and have the warning instead > > A similar discussion was happening on bug 1212971. Leaving a warning in > place can create a DoS easily exploitable if panic_on_warn is set. I'm not a > networking expert, but wouldn't it be difficult to solve? Or maybe follow a > different direction here? > > Thanks Denis! But you need root priveledges to setup qdisc: tc qdisc add dev lo root handle 1: qfq Absolute path to 'tc' is '/usr/sbin/tc', so running it may require superuser privileges (eg. root). with root you can easily reboot the system as well like using CONFIG_MAGIC_SYSRQ > > > I think this warning - "qfq_dequeue: non-workconserving leaf" is expected.
> > > The difference is that after the patch you can't just have a null pointer to
> > > skb and have the warning instead
> >
> > A similar discussion was happening on bug 1212971. Leaving a warning in
> > place can create a DoS easily exploitable if panic_on_warn is set. I'm not a
> > networking expert, but wouldn't it be difficult to solve? Or maybe follow a
> > different direction here?
> >
> > Thanks Denis!
>
> But you need root priveledges to setup qdisc:
> tc qdisc add dev lo root handle 1: qfq
> Absolute path to 'tc' is '/usr/sbin/tc', so running it may require superuser
> privileges (eg. root).
>
> with root you can easily reboot the system as well like using
> CONFIG_MAGIC_SYSRQ
In case of the discussed simple reproducer, yes, you are right. But isn't there a different way to trigger the warning that might then be misused? That would be my concern.
(In reply to Miroslav Beneš from comment #50) > > > > I think this warning - "qfq_dequeue: non-workconserving leaf" is expected. > > > > The difference is that after the patch you can't just have a null pointer to > > > > skb and have the warning instead > > > > > > A similar discussion was happening on bug 1212971. Leaving a warning in > > > place can create a DoS easily exploitable if panic_on_warn is set. I'm not a > > > networking expert, but wouldn't it be difficult to solve? Or maybe follow a > > > different direction here? > > > > > > Thanks Denis! > > > > But you need root priveledges to setup qdisc: > > tc qdisc add dev lo root handle 1: qfq > > Absolute path to 'tc' is '/usr/sbin/tc', so running it may require superuser > > privileges (eg. root). > > > > with root you can easily reboot the system as well like using > > CONFIG_MAGIC_SYSRQ > > In case of the discussed simple reproducer, yes, you are right. But isn't > there a different way to trigger the warning that might then be misused? > That would be my concern. Denis, what do you think about Miroslav comment? Thanks! (In reply to Marcos de Souza from comment #51) > (In reply to Miroslav Beneš from comment #50) > > > > > I think this warning - "qfq_dequeue: non-workconserving leaf" is expected. > > > > > The difference is that after the patch you can't just have a null pointer to > > > > > skb and have the warning instead > > > > > > > > A similar discussion was happening on bug 1212971. Leaving a warning in > > > > place can create a DoS easily exploitable if panic_on_warn is set. I'm not a > > > > networking expert, but wouldn't it be difficult to solve? Or maybe follow a > > > > different direction here? > > > > > > > > Thanks Denis! > > > > > > But you need root priveledges to setup qdisc: > > > tc qdisc add dev lo root handle 1: qfq > > > Absolute path to 'tc' is '/usr/sbin/tc', so running it may require superuser > > > privileges (eg. root). > > > > > > with root you can easily reboot the system as well like using > > > CONFIG_MAGIC_SYSRQ > > > > In case of the discussed simple reproducer, yes, you are right. But isn't > > there a different way to trigger the warning that might then be misused? > > That would be my concern. > > Denis, what do you think about Miroslav comment? Thanks! I'll add the following commit: commit 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77 Author: Liu Jian <liujian56@huawei.com> Date: Mon Oct 23 14:47:29 2023 +0800 net: sched: sch_qfq: Use non-work-conserving warning handler A helper function for printing non-work-conserving alarms is added in commit b00355db3f88 ("pkt_sched: sch_hfsc: sch_htb: Add non-work-conserving warning handler."). In this commit, use qdisc_warn_nonwc() instead of WARN_ONCE() to handle the non-work-conserving warning in qfq Qdisc. Signed-off-by: Liu Jian <liujian56@huawei.com> Link: https://lore.kernel.org/r/20231023064729.370649-1-liujian56@huawei.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (In reply to Denis Kirjanov from comment #52) > (In reply to Marcos de Souza from comment #51) > > (In reply to Miroslav Beneš from comment #50) > > > > > > I think this warning - "qfq_dequeue: non-workconserving leaf" is expected. > > > > > > The difference is that after the patch you can't just have a null pointer to > > > > > > skb and have the warning instead > > > > > > > > > > A similar discussion was happening on bug 1212971. Leaving a warning in > > > > > place can create a DoS easily exploitable if panic_on_warn is set. I'm not a > > > > > networking expert, but wouldn't it be difficult to solve? Or maybe follow a > > > > > different direction here? > > > > > > > > > > Thanks Denis! > > > > > > > > But you need root priveledges to setup qdisc: > > > > tc qdisc add dev lo root handle 1: qfq > > > > Absolute path to 'tc' is '/usr/sbin/tc', so running it may require superuser > > > > privileges (eg. root). > > > > > > > > with root you can easily reboot the system as well like using > > > > CONFIG_MAGIC_SYSRQ > > > > > > In case of the discussed simple reproducer, yes, you are right. But isn't > > > there a different way to trigger the warning that might then be misused? > > > That would be my concern. > > > > Denis, what do you think about Miroslav comment? Thanks! > > I'll add the following commit: > commit 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77 > Author: Liu Jian <liujian56@huawei.com> > Date: Mon Oct 23 14:47:29 2023 +0800 > > net: sched: sch_qfq: Use non-work-conserving warning handler > > A helper function for printing non-work-conserving alarms is added in > commit b00355db3f88 ("pkt_sched: sch_hfsc: sch_htb: Add > non-work-conserving > warning handler."). In this commit, use qdisc_warn_nonwc() instead of > WARN_ONCE() to handle the non-work-conserving warning in qfq Qdisc. > > Signed-off-by: Liu Jian <liujian56@huawei.com> > Link: > https://lore.kernel.org/r/20231023064729.370649-1-liujian56@huawei.com > Signed-off-by: Paolo Abeni <pabeni@redhat.com> Hi Denis,with this patch the warning isn't triggered anymore. Thanks for following the problem upstream and pointing it to us! I'll keep creating the livepatch to risk this one off our list. Thanks! > I'll add the following commit:
> commit 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77
> Author: Liu Jian <liujian56@huawei.com>
> Date: Mon Oct 23 14:47:29 2023 +0800
>
> net: sched: sch_qfq: Use non-work-conserving warning handler
>
> A helper function for printing non-work-conserving alarms is added in
> commit b00355db3f88 ("pkt_sched: sch_hfsc: sch_htb: Add
> non-work-conserving
> warning handler."). In this commit, use qdisc_warn_nonwc() instead of
> WARN_ONCE() to handle the non-work-conserving warning in qfq Qdisc.
>
> Signed-off-by: Liu Jian <liujian56@huawei.com>
> Link:
> https://lore.kernel.org/r/20231023064729.370649-1-liujian56@huawei.com
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Thanks! This addresses my concern.
SUSE-SU-2024:0469-1: An update that solves 19 vulnerabilities, contains eight features and has 41 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1108281, 1141539, 1174649, 1181674, 1193285, 1194869, 1209834, 1210443, 1211515, 1212091, 1214377, 1215275, 1215885, 1216441, 1216559, 1216702, 1217895, 1217987, 1217988, 1217989, 1218005, 1218447, 1218527, 1218659, 1218713, 1218723, 1218730, 1218738, 1218752, 1218757, 1218768, 1218778, 1218779, 1218804, 1218832, 1218836, 1218916, 1218948, 1218958, 1218968, 1218997, 1219006, 1219012, 1219013, 1219014, 1219053, 1219067, 1219120, 1219128, 1219136, 1219285, 1219349, 1219412, 1219429, 1219434, 1219490, 1219512, 1219568, 1219582 CVE References: CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-4921, CVE-2023-51042, CVE-2023-51043, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6356, CVE-2023-6531, CVE-2023-6535, CVE-2023-6536, CVE-2023-6915, CVE-2024-0565, CVE-2024-0641, CVE-2024-0775, CVE-2024-1085, CVE-2024-1086 Jira References: PED-4729, PED-6694, PED-7322, PED-7615, PED-7616, PED-7620, PED-7622, PED-7623 Sources used: openSUSE Leap 15.5 (src): kernel-livepatch-SLE15-SP5-RT_Update_10-1-150500.11.5.1, kernel-source-rt-5.14.21-150500.13.35.1, kernel-syms-rt-5.14.21-150500.13.35.1 SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5-RT_Update_10-1-150500.11.5.1 SUSE Real Time Module 15-SP5 (src): kernel-source-rt-5.14.21-150500.13.35.1, kernel-syms-rt-5.14.21-150500.13.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0474-1: An update that solves 15 vulnerabilities and has four security fixes can now be installed. Category: security (important) Bug References: 1108281, 1193285, 1215275, 1216702, 1217987, 1217988, 1217989, 1218713, 1218730, 1218752, 1218757, 1218768, 1218804, 1218832, 1218836, 1219053, 1219120, 1219412, 1219434 CVE References: CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-4921, CVE-2023-51043, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536, CVE-2023-6915, CVE-2024-0565, CVE-2024-0775, CVE-2024-1086 Sources used: SUSE Enterprise Storage 7.1 (src): kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1, kernel-syms-5.3.18-150300.59.150.1, kernel-source-5.3.18-150300.59.150.1, kernel-obs-build-5.3.18-150300.59.150.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1 openSUSE Leap 15.3 (src): kernel-obs-qa-5.3.18-150300.59.150.1, kernel-source-5.3.18-150300.59.150.1, kernel-syms-5.3.18-150300.59.150.1, kernel-livepatch-SLE15-SP3_Update_41-1-150300.7.3.1, kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1, kernel-obs-build-5.3.18-150300.59.150.1 SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_41-1-150300.7.3.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1, kernel-syms-5.3.18-150300.59.150.1, kernel-source-5.3.18-150300.59.150.1, kernel-obs-build-5.3.18-150300.59.150.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1, kernel-syms-5.3.18-150300.59.150.1, kernel-source-5.3.18-150300.59.150.1, kernel-obs-build-5.3.18-150300.59.150.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-default-base-5.3.18-150300.59.150.1.150300.18.88.1, kernel-syms-5.3.18-150300.59.150.1, kernel-source-5.3.18-150300.59.150.1, kernel-obs-build-5.3.18-150300.59.150.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0478-1: An update that solves 15 vulnerabilities and has four security fixes can now be installed. Category: security (important) Bug References: 1108281, 1193285, 1215275, 1216702, 1217987, 1217988, 1217989, 1218713, 1218730, 1218752, 1218757, 1218768, 1218804, 1218832, 1218836, 1219053, 1219120, 1219412, 1219434 CVE References: CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-4921, CVE-2023-51043, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536, CVE-2023-6915, CVE-2024-0565, CVE-2024-0775, CVE-2024-1086 Sources used: SUSE Linux Enterprise Live Patching 15-SP2 (src): kernel-livepatch-SLE15-SP2_Update_45-1-150200.5.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): kernel-default-base-5.3.18-150200.24.178.1.150200.9.91.1, kernel-syms-5.3.18-150200.24.178.1, kernel-obs-build-5.3.18-150200.24.178.1, kernel-source-5.3.18-150200.24.178.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): kernel-default-base-5.3.18-150200.24.178.1.150200.9.91.1, kernel-syms-5.3.18-150200.24.178.1, kernel-obs-build-5.3.18-150200.24.178.1, kernel-source-5.3.18-150200.24.178.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): kernel-default-base-5.3.18-150200.24.178.1.150200.9.91.1, kernel-syms-5.3.18-150200.24.178.1, kernel-obs-build-5.3.18-150200.24.178.1, kernel-source-5.3.18-150200.24.178.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0516-1: An update that solves 21 vulnerabilities, contains nine features and has 40 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1108281, 1141539, 1174649, 1181674, 1193285, 1194869, 1209834, 1210443, 1211515, 1212091, 1214377, 1215275, 1215885, 1216441, 1216559, 1216702, 1217895, 1217987, 1217988, 1217989, 1218005, 1218447, 1218527, 1218659, 1218689, 1218713, 1218723, 1218730, 1218752, 1218757, 1218768, 1218778, 1218779, 1218804, 1218832, 1218836, 1218916, 1218948, 1218958, 1218968, 1218997, 1219006, 1219012, 1219013, 1219014, 1219053, 1219067, 1219120, 1219128, 1219136, 1219285, 1219349, 1219412, 1219429, 1219434, 1219490, 1219512, 1219568, 1219582, 1219608 CVE References: CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-4921, CVE-2023-51042, CVE-2023-51043, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6356, CVE-2023-6531, CVE-2023-6535, CVE-2023-6536, CVE-2023-6915, CVE-2024-0340, CVE-2024-0565, CVE-2024-0641, CVE-2024-0775, CVE-2024-1085, CVE-2024-1086, CVE-2024-24860 Jira References: PED-4729, PED-6694, PED-7322, PED-7615, PED-7616, PED-7618, PED-7620, PED-7622, PED-7623 Sources used: openSUSE Leap 15.5 (src): kernel-livepatch-SLE15-SP5_Update_10-1-150500.11.5.1, kernel-source-5.14.21-150500.55.49.1, kernel-default-base-5.14.21-150500.55.49.1.150500.6.21.2, kernel-obs-build-5.14.21-150500.55.49.1, kernel-syms-5.14.21-150500.55.49.1, kernel-obs-qa-5.14.21-150500.55.49.1 SUSE Linux Enterprise Micro 5.5 (src): kernel-default-base-5.14.21-150500.55.49.1.150500.6.21.2 Basesystem Module 15-SP5 (src): kernel-source-5.14.21-150500.55.49.1, kernel-default-base-5.14.21-150500.55.49.1.150500.6.21.2 Development Tools Module 15-SP5 (src): kernel-obs-build-5.14.21-150500.55.49.1, kernel-source-5.14.21-150500.55.49.1, kernel-syms-5.14.21-150500.55.49.1 SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5_Update_10-1-150500.11.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0515-1: An update that solves 20 vulnerabilities and has 16 security fixes can now be installed. Category: security (important) Bug References: 1108281, 1177529, 1209834, 1212091, 1215275, 1215885, 1216016, 1216702, 1217217, 1217670, 1217895, 1217987, 1217988, 1217989, 1218689, 1218713, 1218730, 1218752, 1218757, 1218768, 1218804, 1218832, 1218836, 1218916, 1218929, 1218930, 1218968, 1219053, 1219120, 1219128, 1219349, 1219412, 1219429, 1219434, 1219490, 1219608 CVE References: CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-4921, CVE-2023-51042, CVE-2023-51043, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536, CVE-2023-6915, CVE-2024-0340, CVE-2024-0565, CVE-2024-0641, CVE-2024-0775, CVE-2024-1085, CVE-2024-1086, CVE-2024-24860 Sources used: SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1, kernel-obs-build-5.14.21-150400.24.108.1, kernel-syms-5.14.21-150400.24.108.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1, kernel-obs-build-5.14.21-150400.24.108.1, kernel-syms-5.14.21-150400.24.108.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1, kernel-obs-build-5.14.21-150400.24.108.1, kernel-syms-5.14.21-150400.24.108.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1, kernel-obs-build-5.14.21-150400.24.108.1, kernel-syms-5.14.21-150400.24.108.1 SUSE Manager Proxy 4.3 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1 SUSE Manager Retail Branch Server 4.3 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1 SUSE Manager Server 4.3 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1 openSUSE Leap 15.4 (src): kernel-source-5.14.21-150400.24.108.1, kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-syms-5.14.21-150400.24.108.1, kernel-obs-qa-5.14.21-150400.24.108.1, kernel-obs-build-5.14.21-150400.24.108.1, kernel-livepatch-SLE15-SP4_Update_23-1-150400.9.5.1 openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2 openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2 SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2 SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2 SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2 SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_23-1-150400.9.5.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): kernel-default-base-5.14.21-150400.24.108.1.150400.24.50.2, kernel-source-5.14.21-150400.24.108.1, kernel-obs-build-5.14.21-150400.24.108.1, kernel-syms-5.14.21-150400.24.108.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:0514-1: An update that solves 21 vulnerabilities, contains nine features and has 41 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1108281, 1141539, 1174649, 1181674, 1193285, 1194869, 1209834, 1210443, 1211515, 1212091, 1214377, 1215275, 1215885, 1216441, 1216559, 1216702, 1217895, 1217987, 1217988, 1217989, 1218005, 1218447, 1218527, 1218659, 1218689, 1218713, 1218723, 1218730, 1218738, 1218752, 1218757, 1218768, 1218778, 1218779, 1218804, 1218832, 1218836, 1218916, 1218948, 1218958, 1218968, 1218997, 1219006, 1219012, 1219013, 1219014, 1219053, 1219067, 1219120, 1219128, 1219136, 1219285, 1219349, 1219412, 1219429, 1219434, 1219490, 1219512, 1219568, 1219582, 1219608 CVE References: CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-4921, CVE-2023-51042, CVE-2023-51043, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6356, CVE-2023-6531, CVE-2023-6535, CVE-2023-6536, CVE-2023-6915, CVE-2024-0340, CVE-2024-0565, CVE-2024-0641, CVE-2024-0775, CVE-2024-1085, CVE-2024-1086, CVE-2024-24860 Jira References: PED-4729, PED-6694, PED-7322, PED-7615, PED-7616, PED-7618, PED-7620, PED-7622, PED-7623 Sources used: openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.34.1, kernel-syms-azure-5.14.21-150500.33.34.1 Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.34.1, kernel-syms-azure-5.14.21-150500.33.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. done, closing |