Bug 1226797 (CVE-2024-36244)

Summary: VUL-0: CVE-2024-36244: kernel: net/sched: taprio: extend minimum interval restriction to entire cycle too
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Michal Kubeček <mkubecek>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: camila.matos, gabriel.bertazi, mhocko
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411744/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-36244:3.8:(AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-21 16:49:10 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: extend minimum interval restriction to entire cycle too

It is possible for syzbot to side-step the restriction imposed by the
blamed commit in the Fixes: tag, because the taprio UAPI permits a
cycle-time different from (and potentially shorter than) the sum of
entry intervals.

We need one more restriction, which is that the cycle time itself must
be larger than N * ETH_ZLEN bit times, where N is the number of schedule
entries. This restriction needs to apply regardless of whether the cycle
time came from the user or was the implicit, auto-calculated value, so
we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)"
branch. This way covers both conditions and scenarios.

Add a selftest which illustrates the issue triggered by syzbot.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36244
https://www.cve.org/CVERecord?id=CVE-2024-36244
https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724
https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2
https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-36244.mbox
https://bugzilla.redhat.com/show_bug.cgi?id=2293654