[LTS 9.2 RT] CVE-2023-4623, VULN-6713 #140
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-6713 cve CVE-2023-4623 commit-author Budimir Markovic <[email protected]> commit b3d26c5 HFSC assumes that inner classes have an fsc curve, but it is currently possible for classes without an fsc curve to become parents. This leads to bugs including a use-after-free. Don't allow non-root classes without HFSC_FSC to become parents. Fixes: 1da177e ("Linux-2.6.12-rc2") Reported-by: Budimir Markovic <[email protected]> Signed-off-by: Budimir Markovic <[email protected]> Acked-by: Jamal Hadi Salim <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit b3d26c5) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-6713 cve CVE-2023-4623 commit-author Pedro Tammela <[email protected]> commit a13b67c Christian Theune says: I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script, leaving me with a non-functional uplink on a remote router. A 'rt' curve cannot be used as a inner curve (parent class), but we were allowing such configurations since the qdisc was introduced. Such configurations would trigger a UAF as Budimir explains: The parent will have vttree_insert() called on it in init_vf(), but will not have vttree_remove() called on it in update_vf() because it does not have the HFSC_FSC flag set. The qdisc always assumes that inner classes have the HFSC_FSC flag set. This is by design as it doesn't make sense 'qdisc wise' for an 'rt' curve to be an inner curve. Budimir's original patch disallows users to add classes with a 'rt' parent, but this is too strict as it breaks users that have been using 'rt' as a inner class. Another approach, taken by this patch, is to upgrade the inner 'rt' into a 'sc', warning the user in the process. It avoids the UAF reported by Budimir while also being more permissive to bad scripts/users/code using 'rt' as a inner class. Users checking the `tc class ls [...]` or `tc class get [...]` dumps would observe the curve change and are potentially breaking with this change. v1->v2: https://lore.kernel.org/all/[email protected]/ - Correct 'Fixes' tag and merge with revert (Jakub) Cc: Christian Theune <[email protected]> Cc: Budimir Markovic <[email protected]> Fixes: b3d26c5 ("net/sched: sch_hfsc: Ensure inner classes have fsc curve") Signed-off-by: Pedro Tammela <[email protected]> Acked-by: Jamal Hadi Salim <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit a13b67c) Signed-off-by: Marcin Wcisło <[email protected]>
pvts-mat
force-pushed
the
ciqlts9_2-rt-CVE-2023-4623
branch
from
7527177 to
bea021e
Compare
|
Passes checks and is reviewed and approved. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 9.2 RT]
CVE-2023-4623
VULN-6713
Problem
https://www.cve.org/CVERecord?id=CVE-2023-4623
Analysis and solution
A single commit was identified as a fix for this issue: b3d26c5702c7d6c45456326e56d2ccf3f103e60f net/sched: sch_hfsc: Ensure inner classes have fsc curve.
The solution consisted of rejecting the addition of a class with a link-sharing curve to the class without it (see Specific tests for details):
The fix introduced a problem with existing network setup scripts for some users https://lore.kernel.org/all/[email protected]/:
It was decided to fix the problem without breaking backwards compatibility https://lore.kernel.org/all/[email protected]/:
The solution was to change the erroneous qdisc hierarchy to a correct one when the possible UAF condition was detected https://lore.kernel.org/all/[email protected]/:
The fix of the fix is given in the commit a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
While the changes could be squashed into a single commit it was decided to retain the sequence of two commits for more straightforward LTS 9.2 RT - mainline patches correspondence.
The same solution was used already in other "version 9" branches
centos9,ciqlts9_4,rocky9_4,rocky9_5,sig-cloud-9/5.14.0-427.37.1.el9_4,sig-cloud-9/5.14.0-427.40.1.el9_4,sig-cloud-9/5.14.0-427.42.1.el9_4,sig-cloud-9/5.14.0-503.19.1.el9_5,sig-cloud-9/5.14.0-503.22.1.el9_5:kABI check: omitted (unstable ABI of RT kernels)
Boot test: passed
Refer to Specific tests for implicit boot test passing.
Kselftests: passed relative
Methodology
A mix of
kernel-selftests-internaland source-compiled tests were used:kernel-selftests-internal:bpftests, except:bpf:test_kmod.sh: takes very long time to finish and always fails anyway,bpf:test_progs: unstable, can crash the machine,bpf:test_progs-no_alu32: unstable, can crash the machine.Coverage (including tests skipped during execution)
bpf,breakpoints,capabilities,clone3,core,cpu-hotplug,cpufreq,drivers/dma-buf,drivers/net/bonding,drivers/net/team,efivarfs,filesystems,filesystems/binderfs,filesystems/epoll,firmware,fpu,ftrace,futex,gpio,intel_pstate,ipc,ir,kcmp,kvm,landlock,lib,livepatch,membarrier,memfd,memory-hotplug,mincore,mount,mqueue,nci,net,net/forwarding,net/mptcp,netfilter,nsfs,openat2,pid_namespace,pidfd,pstore,ptrace,rlimits,rseq,rtc,seccomp,sgx,sigaltstack,size,splice,static_keys,sync,syscall_user_dispatch,sysctl,tc-testing,tdx,timens,timers,tmpfs,tpm2,user,vDSO,vm,x86,zramReference
ciqlts9_2-rt(4c5f656231e024966e5df6be5a66e3adf36379fb)Three test runs were conducted on the reference kernel.
kselftests–mixed–ciqlts9_2-rt–run1.log
kselftests–mixed–ciqlts9_2-rt–run2.log
kselftests–mixed–ciqlts9_2-rt–run3.log
Patch
ciqlts9_2-rt-CVE-2023-4623(752717727a98bd7e29840fc4c65f8721aaae6a10)A single test run was conducted on the patched kernel.
kselftests–mixed–ciqlts9_2-rt-CVE-2023-4623.log
Comparison
All of the tests with different results in the tested patch showed inconsistent behavior in the reference tests set itself. The
net/mptcp:mptcp_join.shtest have shown inconsistent behavior before. Likelynet:gro.sh,rtc:rtctest,net:txtimestamp.sh, although not yet on theciqlts9_2-rtplatform. Added to the list of flappy tests.The
net:udpgso_bench.shdid show inconsistent behavior before across different platforms but not on a single one. The one failing test seems to be associated with resources depletionThe
x86:syscall_numbering_64shows inconsistent behavior for the first time. All problems are associated with associatedMODIFIED_BY_PTRACEerrno, and returning -38 by the system call instead (ENOSYS 38 Function not implemented):The details of this failure were not investigated further
Specific tests: passed
The potential UAF condition was found to be reproducible with the following
tccommands sequence:The "100kbps", "50kbps" parts are arbitrary. What's important is the use of
rtfor the inner class andlsfor the leaf class. While the exact UAF was not obtained the commands helped confirm the efficacy of the patch.Reference
The incorrect qdisc hierarchy can be created without any guardrails.
Full logs:
fix-replicate–ciqlts9_2-rt.log
Patch
Creating the incorrect qdisc hierarchy raises a warning, but succeeds. Notice the type of inner class being
scinstead ofrtas shown bytc -g class show dev locommand.Full logs:
fix-replicate–ciqlts9_2-rt-CVE-2023-4623.log