Bugzilla – Bug 1207125
VUL-0: CVE-2023-23455: kernel: type-confusion in the ATM network scheduler
Last modified: 2023-03-27 13:00:45 UTC
CVE-2023-23455 Date: Tue, 10 Jan 2023 15:07:44 -0700 From: Kyle Zeng <zengyhkyle@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Type Confusion in Linux Kernel Hi John, A crash report is attached to this email. I hope this helps evaluate the security implication of the bug. Best, Kyle Zeng ================================================================== BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x9d8/0x1fc0 Read of size 1 at addr ffff88806bfd40aa by task sd-resolve/250 CPU: 2 PID: 250 Comm: sd-resolve Not tainted 5.4.188 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack+0x19d/0x1e7 print_address_description+0xd7/0xca0 __kasan_report+0x1e0/0x270 kasan_report+0x30/0x60 cbq_enqueue+0x9d8/0x1fc0 __dev_queue_xmit+0x2238/0x49f0 ip_finish_output2+0x1529/0x2430 ip_output+0x358/0x3f0 ip_send_skb+0xec/0x220 udp_send_skb+0xd4f/0x1710 udp_sendmsg+0x3889/0x4ee0 ____sys_sendmsg+0x1083/0x1240 __sys_sendmmsg+0x88d/0xe90 __x64_sys_sendmmsg+0xa1/0xb0 do_syscall_64+0x32f/0x3e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f188612135f Code: 89 f5 55 53 89 cd 41 89 d4 89 fb 48 83 ec 18 e8 b7 b1 00 00 44 89 e2 41 89 c0 48 63 fb 4c 63 d5 4c 89 ee b8 33 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 1b 44 89 c7 89 44 24 0c e8 ed b1 00 00 8b 44 RSP: 002b:00007f1883b5fc10 EFLAGS: 00000293 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f188612135f RDX: 0000000000000002 RSI: 00007f1883b5fdb0 RDI: 000000000000000d RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000004 R10: 0000000000004000 R11: 0000000000000293 R12: 0000000000000002 R13: 00007f1883b5fdb0 R14: 0000000008ce68e8 R15: 00007f1883b67db8 Allocated by task 1285: __kasan_kmalloc+0x1d9/0xdf0 tc_new_tfilter+0x1f2e/0x41f0 rtnetlink_rcv_msg+0x777/0x12d0 netlink_rcv_skb+0x39b/0x870 netlink_unicast+0xb45/0xf90 netlink_sendmsg+0x1477/0x1830 ____sys_sendmsg+0x1206/0x1240 __sys_sendmsg+0x48d/0x570 do_syscall_64+0x32f/0x3e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 106: __kasan_slab_free+0x293/0xe30 kfree+0x33e/0x1010 process_one_work+0xea3/0x17b0 worker_thread+0xecc/0x1a00 kthread+0x33b/0x3a0 ret_from_fork+0x35/0x40 The buggy address belongs to the object at ffff88806bfd4000 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 42 bytes to the right of 128-byte region [ffff88806bfd4000, ffff88806bfd4080) The buggy address belongs to the page: page:ffffea0001aff500 refcount:1 mapcount:0 mapping:ffff88806bc03200 index:0x0 flags: 0x100000000000200(slab) raw: 0100000000000200 ffffea0001a50b40 0000000400000004 ffff88806bc03200 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88806bfd3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806bfd4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc >ffff88806bfd4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88806bfd4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806bfd4180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23455 http://www.openwall.com/lists/oss-security/2023/01/10/4 http://www.openwall.com/lists/oss-security/2023/01/10/1 https://www.cve.org/CVERecord?id=CVE-2023-23455 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2965c7be0522eaa18808684b7b82b248515511b https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12
A second CVE was allocated for this bug... Same affectedness as bsc#1207036
Denis, this should be the same thing as bug 1207036 but please verify and include the bug & CVE references into the patches. Thanks!
SUSE-SU-2023:0152-1: An update that solves 19 vulnerabilities, contains three features and has 71 fixes is now available. Category: security (important) Bug References: 1065729,1151927,1156395,1157049,1190969,1203183,1203693,1203740,1204171,1204250,1204614,1204693,1204760,1204989,1205149,1205256,1205495,1205496,1205601,1205695,1206073,1206113,1206114,1206174,1206175,1206176,1206177,1206178,1206179,1206344,1206389,1206393,1206394,1206395,1206397,1206398,1206399,1206515,1206602,1206634,1206635,1206636,1206637,1206640,1206641,1206642,1206643,1206644,1206645,1206646,1206647,1206648,1206649,1206663,1206664,1206784,1206841,1206854,1206855,1206857,1206858,1206859,1206860,1206873,1206875,1206876,1206877,1206878,1206880,1206881,1206882,1206883,1206884,1206885,1206886,1206887,1206888,1206889,1206890,1206891,1206893,1206896,1206904,1207036,1207125,1207134,1207186,1207198,1207218,1207237 CVE References: CVE-2019-19083,CVE-2022-3105,CVE-2022-3106,CVE-2022-3107,CVE-2022-3108,CVE-2022-3111,CVE-2022-3112,CVE-2022-3115,CVE-2022-3435,CVE-2022-3564,CVE-2022-3643,CVE-2022-42328,CVE-2022-42329,CVE-2022-4662,CVE-2022-47520,CVE-2022-47929,CVE-2023-0266,CVE-2023-23454,CVE-2023-23455 JIRA References: PED-1445,PED-1706,PED-568 Sources used: openSUSE Leap Micro 5.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1 openSUSE Leap 15.4 (src): dtb-aarch64-5.3.18-150300.59.109.1 SUSE Manager Server 4.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-zfcpdump-5.3.18-150300.59.109.1 SUSE Manager Retail Branch Server 4.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1 SUSE Manager Proxy 4.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1, kernel-zfcpdump-5.3.18-150300.59.109.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise Module for Live Patching 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1, kernel-livepatch-SLE15-SP3_Update_28-1-150300.7.3.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise High Availability 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1 SUSE Enterprise Storage 7.1 (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This bug seems to approach a good date for CVE SLA fulfillment [1]. Denis, what is its status, please? Namely these seem missing: - SLE15-SP4 - cve/linux-4.12 (OK in bcs#1207036) - cve/linux-4.4 - cve/linux-3.0 - SLE15-SP5-GA - (stable) . [1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
SUSE-SU-2023:0406-1: An update that solves 16 vulnerabilities, contains one feature and has 14 fixes is now available. Category: security (important) Bug References: 1203183,1203693,1203740,1204171,1204614,1204760,1205149,1206073,1206113,1206114,1206314,1206389,1206393,1206395,1206398,1206399,1206515,1206664,1206677,1206784,1207036,1207125,1207134,1207186,1207188,1207189,1207190,1207237,1207769,1207823 CVE References: CVE-2022-3105,CVE-2022-3107,CVE-2022-3108,CVE-2022-3112,CVE-2022-3115,CVE-2022-3435,CVE-2022-3564,CVE-2022-3643,CVE-2022-42328,CVE-2022-42329,CVE-2022-4662,CVE-2022-47520,CVE-2022-47929,CVE-2023-0266,CVE-2023-23454,CVE-2023-23455 JIRA References: PED-1706 Sources used: SUSE Linux Enterprise Server for SAP 15-SP2 (src): kernel-default-5.3.18-150200.24.142.1, kernel-default-base-5.3.18-150200.24.142.1.150200.9.67.1, kernel-docs-5.3.18-150200.24.142.1, kernel-obs-build-5.3.18-150200.24.142.1, kernel-preempt-5.3.18-150200.24.142.1, kernel-source-5.3.18-150200.24.142.1, kernel-syms-5.3.18-150200.24.142.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): kernel-default-5.3.18-150200.24.142.1, kernel-default-base-5.3.18-150200.24.142.1.150200.9.67.1, kernel-docs-5.3.18-150200.24.142.1, kernel-obs-build-5.3.18-150200.24.142.1, kernel-preempt-5.3.18-150200.24.142.1, kernel-source-5.3.18-150200.24.142.1, kernel-syms-5.3.18-150200.24.142.1 SUSE Linux Enterprise Module for Live Patching 15-SP2 (src): kernel-default-5.3.18-150200.24.142.1, kernel-livepatch-SLE15-SP2_Update_33-1-150200.5.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): kernel-default-5.3.18-150200.24.142.1, kernel-default-base-5.3.18-150200.24.142.1.150200.9.67.1, kernel-docs-5.3.18-150200.24.142.1, kernel-obs-build-5.3.18-150200.24.142.1, kernel-preempt-5.3.18-150200.24.142.1, kernel-source-5.3.18-150200.24.142.1, kernel-syms-5.3.18-150200.24.142.1 SUSE Linux Enterprise High Availability 15-SP2 (src): kernel-default-5.3.18-150200.24.142.1 SUSE Enterprise Storage 7 (src): kernel-default-5.3.18-150200.24.142.1, kernel-default-base-5.3.18-150200.24.142.1.150200.9.67.1, kernel-docs-5.3.18-150200.24.142.1, kernel-obs-build-5.3.18-150200.24.142.1, kernel-preempt-5.3.18-150200.24.142.1, kernel-source-5.3.18-150200.24.142.1, kernel-syms-5.3.18-150200.24.142.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0420-1: An update that solves 9 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1108488,1205705,1205709,1206073,1206113,1206664,1206677,1206784,1207036,1207125,1207186,1207237 CVE References: CVE-2018-9517,CVE-2022-3564,CVE-2022-3643,CVE-2022-42895,CVE-2022-42896,CVE-2022-4662,CVE-2022-47929,CVE-2023-23454,CVE-2023-23455 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): kernel-default-4.4.121-92.199.1, kernel-source-4.4.121-92.199.1, kernel-syms-4.4.121-92.199.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0433-1: An update that solves 9 vulnerabilities, contains two features and has 42 fixes is now available. Category: security (important) Bug References: 1065729,1185861,1185863,1186449,1191256,1192868,1193629,1194869,1195175,1195655,1196058,1199701,1204063,1204356,1204662,1205495,1206006,1206036,1206056,1206057,1206258,1206363,1206459,1206616,1206677,1206784,1207010,1207034,1207036,1207050,1207125,1207134,1207149,1207158,1207184,1207186,1207190,1207237,1207263,1207269,1207497,1207500,1207501,1207506,1207507,1207734,1207769,1207795,1207842,1207878,1207933 CVE References: CVE-2020-24588,CVE-2022-4382,CVE-2022-47929,CVE-2023-0122,CVE-2023-0179,CVE-2023-0266,CVE-2023-0590,CVE-2023-23454,CVE-2023-23455 JIRA References: SLE-21132,SLE-24682 Sources used: openSUSE Leap Micro 5.3 (src): kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3 openSUSE Leap 15.4 (src): dtb-aarch64-5.14.21-150400.24.46.1, kernel-64kb-5.14.21-150400.24.46.1, kernel-debug-5.14.21-150400.24.46.1, kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3, kernel-docs-5.14.21-150400.24.46.2, kernel-kvmsmall-5.14.21-150400.24.46.1, kernel-obs-build-5.14.21-150400.24.46.1, kernel-obs-qa-5.14.21-150400.24.46.1, kernel-source-5.14.21-150400.24.46.1, kernel-syms-5.14.21-150400.24.46.1, kernel-zfcpdump-5.14.21-150400.24.46.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1 SUSE Linux Enterprise Module for Live Patching 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1, kernel-livepatch-SLE15-SP4_Update_8-1-150400.9.3.3 SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): kernel-docs-5.14.21-150400.24.46.2, kernel-obs-build-5.14.21-150400.24.46.1, kernel-source-5.14.21-150400.24.46.1, kernel-syms-5.14.21-150400.24.46.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): kernel-64kb-5.14.21-150400.24.46.1, kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3, kernel-source-5.14.21-150400.24.46.1, kernel-zfcpdump-5.14.21-150400.24.46.1 SUSE Linux Enterprise Micro 5.3 (src): kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3 SUSE Linux Enterprise High Availability 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0488-1: An update that solves 11 vulnerabilities, contains two features and has 133 fixes can now be installed. Category: security (important) Bug References: 1166486, 1185861, 1185863, 1186449, 1191256, 1192868, 1193629, 1194869, 1195175, 1195655, 1196058, 1199701, 1203332, 1204063, 1204356, 1204662, 1205495, 1206006, 1206036, 1206056, 1206057, 1206224, 1206258, 1206363, 1206459, 1206616, 1206640, 1206677, 1206784, 1206876, 1206877, 1206878, 1206880, 1206881, 1206882, 1206883, 1206884, 1206885, 1206886, 1206887, 1206888, 1206889, 1206890, 1206893, 1206894, 1207010, 1207034, 1207036, 1207050, 1207125, 1207134, 1207149, 1207158, 1207184, 1207186, 1207188, 1207189, 1207190, 1207237, 1207263, 1207269, 1207328, 1207497, 1207500, 1207501, 1207506, 1207507, 1207588, 1207589, 1207590, 1207591, 1207592, 1207593, 1207594, 1207602, 1207603, 1207605, 1207606, 1207607, 1207608, 1207609, 1207610, 1207611, 1207612, 1207613, 1207614, 1207615, 1207616, 1207617, 1207618, 1207619, 1207620, 1207621, 1207622, 1207623, 1207624, 1207625, 1207626, 1207627, 1207628, 1207629, 1207630, 1207631, 1207632, 1207633, 1207634, 1207635, 1207636, 1207637, 1207638, 1207639, 1207640, 1207641, 1207642, 1207643, 1207644, 1207645, 1207646, 1207647, 1207648, 1207649, 1207650, 1207651, 1207652, 1207653, 1207734, 1207768, 1207769, 1207770, 1207771, 1207773, 1207795, 1207842, 1207875, 1207878, 1207933, 1208030, 1208044, 1208085, 1208149, 1208153, 1208183, 1208428, 1208429 CVE References: CVE-2020-24588, CVE-2022-36280, CVE-2022-4382, CVE-2022-47929, CVE-2023-0045, CVE-2023-0122, CVE-2023-0179, CVE-2023-0266, CVE-2023-0590, CVE-2023-23454, CVE-2023-23455 Jira References: PED-3210, SLE-21132 Sources used: openSUSE Leap 15.4 (src): kernel-source-rt-5.14.21-150400.15.11.1, kernel-syms-rt-5.14.21-150400.15.11.1 SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_3-1-150400.1.3.1 SUSE Real Time Module 15-SP4 (src): kernel-source-rt-5.14.21-150400.15.11.1, kernel-syms-rt-5.14.21-150400.15.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0591-1: An update that solves six vulnerabilities, contains two features and has 51 fixes can now be installed. Category: security (important) Bug References: 1065729, 1156395, 1203740, 1204614, 1204989, 1205496, 1205601, 1205695, 1206073, 1206344, 1206393, 1206399, 1206515, 1206602, 1206634, 1206635, 1206636, 1206637, 1206640, 1206641, 1206642, 1206643, 1206644, 1206645, 1206646, 1206647, 1206648, 1206649, 1206841, 1206854, 1206855, 1206857, 1206858, 1206859, 1206860, 1206873, 1206875, 1206876, 1206877, 1206878, 1206880, 1206881, 1206882, 1206883, 1206884, 1206885, 1206886, 1206887, 1206888, 1206889, 1206890, 1206891, 1206893, 1206896, 1206904, 1207036, 1207125 CVE References: CVE-2022-3112, CVE-2022-3115, CVE-2022-3564, CVE-2022-47520, CVE-2023-23454, CVE-2023-23455 Jira References: PED-1445, PED-568 Sources used: SUSE Real Time Module 15-SP3 (src): kernel-syms-rt-5.3.18-150300.118.1, kernel-source-rt-5.3.18-150300.118.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Update: This CVE-2023-23455 is not mentioned in cve/linux-4.12. But the fix is there via the duplicate CVE-2023-23454, see the bug #1207036. It is mentioned in all other branches or at least in a parent branch where it it going to be merged from. Denis, could you please add the CVE-2023-23455 reference into cve/linux-4.12?
(In reply to Petr Mladek from comment #41) > Denis, could you please add the CVE-2023-23455 reference into cve/linux-4.12? I've added the refs in users/mkoutny/cve/linux-4.12/bsc1207125, so if these are really dupes, you can take it. BUT -- (In reply to Nicolai Stange from bug 1207036, comment 20) > Upstream commit caa4b35b4317 ("net: sched: cbq: dont intepret cls results > when asked to drop") looks bogus to me: it removes a switch case branch > where the preceeding one used to fallthrough into. Denis, could you have a > look and check whether or not this is a potential problem? I agree with Nicolai, the the change make TC_ACT_TRAP behave like added TC_ACT_RECLASSIFY. __NET_XMIT_STOLEN + possibly not-trivial cbq_class. I like the upstream fixup: commit 051d442098421c28c7951625652f61b1e15c4bd5 Author: Jamal Hadi Salim <jhs@mojatatu.com> Date: Tue Feb 14 08:49:11 2023 -0500 net/sched: Retire CBQ qdisc ... 4 files changed, 1929 deletions(-) Our downstream fixup would be diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c index fab6b5c4c319..fce45a42d471 100644 --- a/net/sched/sch_cbq.c +++ b/net/sched/sch_cbq.c @@ -252,7 +252,7 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr) case TC_ACT_STOLEN: case TC_ACT_TRAP: *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN; - fallthrough; + return NULL; case TC_ACT_RECLASSIFY: return cbq_reclassify(skb, cl); }
(In reply to Michal Koutný from comment #44) > (In reply to Petr Mladek from comment #41) > > Denis, could you please add the CVE-2023-23455 reference into cve/linux-4.12? > > I've added the refs in users/mkoutny/cve/linux-4.12/bsc1207125, so if these > are really dupes, you can take it. > > BUT -- > > (In reply to Nicolai Stange from bug 1207036, comment 20) > > Upstream commit caa4b35b4317 ("net: sched: cbq: dont intepret cls results > > when asked to drop") looks bogus to me: it removes a switch case branch > > where the preceeding one used to fallthrough into. Denis, could you have a > > look and check whether or not this is a potential problem? > > I agree with Nicolai, the the change make TC_ACT_TRAP behave like added > TC_ACT_RECLASSIFY. __NET_XMIT_STOLEN + possibly not-trivial cbq_class. > > I like the upstream fixup: > commit 051d442098421c28c7951625652f61b1e15c4bd5 > Author: Jamal Hadi Salim <jhs@mojatatu.com> > Date: Tue Feb 14 08:49:11 2023 -0500 > > net/sched: Retire CBQ qdisc > ... > 4 files changed, 1929 deletions(-) > > Our downstream fixup would be > > diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c > index fab6b5c4c319..fce45a42d471 100644 > --- a/net/sched/sch_cbq.c > +++ b/net/sched/sch_cbq.c > @@ -252,7 +252,7 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int > *qerr) > case TC_ACT_STOLEN: > case TC_ACT_TRAP: > *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN; > - fallthrough; > + return NULL; > case TC_ACT_RECLASSIFY: > return cbq_reclassify(skb, cl); > } I've merged you branch with the fix applied. Thanks