Commit 91c68ce2 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

net: cgroup: fix out of bounds accesses

dev->priomap is allocated by extend_netdev_table() called from
update_netdev_tables().
And this is only called if write_priomap() is called.

But if write_priomap() is not called, it seems we can have out of bounds
accesses in cgrp_destroy(), read_priomap() & skb_update_prio()

With help from Gao Feng
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Gao feng <gaofeng@cn.fujitsu.com>
Acked-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 96ca7ffe
...@@ -2444,8 +2444,12 @@ static void skb_update_prio(struct sk_buff *skb) ...@@ -2444,8 +2444,12 @@ static void skb_update_prio(struct sk_buff *skb)
{ {
struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap); struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
if ((!skb->priority) && (skb->sk) && map) if (!skb->priority && skb->sk && map) {
skb->priority = map->priomap[skb->sk->sk_cgrp_prioidx]; unsigned int prioidx = skb->sk->sk_cgrp_prioidx;
if (prioidx < map->priomap_len)
skb->priority = map->priomap[prioidx];
}
} }
#else #else
#define skb_update_prio(skb) #define skb_update_prio(skb)
......
...@@ -142,7 +142,7 @@ static void cgrp_destroy(struct cgroup *cgrp) ...@@ -142,7 +142,7 @@ static void cgrp_destroy(struct cgroup *cgrp)
rtnl_lock(); rtnl_lock();
for_each_netdev(&init_net, dev) { for_each_netdev(&init_net, dev) {
map = rtnl_dereference(dev->priomap); map = rtnl_dereference(dev->priomap);
if (map) if (map && cs->prioidx < map->priomap_len)
map->priomap[cs->prioidx] = 0; map->priomap[cs->prioidx] = 0;
} }
rtnl_unlock(); rtnl_unlock();
...@@ -166,7 +166,7 @@ static int read_priomap(struct cgroup *cont, struct cftype *cft, ...@@ -166,7 +166,7 @@ static int read_priomap(struct cgroup *cont, struct cftype *cft,
rcu_read_lock(); rcu_read_lock();
for_each_netdev_rcu(&init_net, dev) { for_each_netdev_rcu(&init_net, dev) {
map = rcu_dereference(dev->priomap); map = rcu_dereference(dev->priomap);
priority = map ? map->priomap[prioidx] : 0; priority = (map && prioidx < map->priomap_len) ? map->priomap[prioidx] : 0;
cb->fill(cb, dev->name, priority); cb->fill(cb, dev->name, priority);
} }
rcu_read_unlock(); rcu_read_unlock();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment