Re: [PATCH net] net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing

From: Cong Wang
Date: Fri Jul 25 2025 - 14:04:12 EST

Next message: Yu Kuai: "[PATCH v2] blk-ioc: don't hold queue_lock for ioc_lookup_icq()"
Previous message: David Hildenbrand: "Re: [PATCH] MAINTAINERS: Add missing headers to mempory policy & migration section"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 23, 2025 at 01:55:21PM +0100, Simon Horman wrote:
> + Ferenc and Vladimir
>
> On Tue, Jul 22, 2025 at 04:51:21PM +0100, Maher Azzouzi wrote:
> > From: MaherAzzouzi <maherazz04@xxxxxxxxx>
>
> nit: space between your names please
>
> >
> > TCA_MQPRIO_TC_ENTRY_INDEX is validated using
> > NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value
> > TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in
> > the fp[] array, which only has room for 16 elements (0–15).
> >
> > Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.
> >
> > Fixes: f62af20bed2d ("net/sched: mqprio: allow per-TC user input of FP adminStatus")
> > Reported-by: Maher Azzouzi <maherazz04@xxxxxxxxx>
>
> I don't think there is any need to include a Reported-by tag if
> you are also the patch author.

+1

>
> > Signed-off-by: Maher Azzouzi <maherazz04@xxxxxxxxx>
>
> I agree with your analysis and that this is a good fix.
>
> Reviewed-by: Simon Horman <horms@xxxxxxxxxx>

Reviewed-by: Cong Wang <xiyou.wangcong@xxxxxxxxx>

Thanks for the patch.

Next message: Yu Kuai: "[PATCH v2] blk-ioc: don't hold queue_lock for ioc_lookup_icq()"
Previous message: David Hildenbrand: "Re: [PATCH] MAINTAINERS: Add missing headers to mempory policy & migration section"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]