commit f3567042b10a7ef4d60edb2a9ab904297f091355
author Budimir Markovic <markovicbudimir@gmail.com> Thu Aug 24 01:49:05 2023 -0700
committer COS Cherry Picker <cloud-image-release@prod.google.com> Sun Sep 17 04:19:42 2023 -0700
tree 76acd70b2f2325a0bf8de9c5097d4ddc2f22c402
parent 47d0679415a4122e61da91db409c48727007e8fa

net/sched: sch_hfsc: Ensure inner classes have fsc curve

[ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ]

HFSC assumes that inner classes have an fsc curve, but it is currently
possible for classes without an fsc curve to become parents. This leads
to bugs including a use-after-free.

Don't allow non-root classes without HFSC_FSC to become parents.

BUG=b/300062914
TEST=None
RELEASE_NOTE=Fixed CVE-2023-4623 in the linux kernel.

cos-patch: security-high
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
Change-Id: Ie5cb6ce6ca451825c460587c46a577ab7fe3e9ee
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/57328
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

net/sched/sch_hfsc.c

diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 70b0c58..61d5259 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1012,6 +1012,10 @@
 		if (parent == NULL)
 			return -ENOENT;
 	}
+	if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) {
+		NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC");
+		return -EINVAL;
+	}
 
 	if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
 		return -EINVAL;