Re: [PATCH net v1] net/sched: cls_api: complement tcf_tfilter_dump_policy

[Lin Ma]

Hello Jamal,

> >
> > Sorry, still trying to follow your reasoning that this is a "net issue":
> > As you point out, the skb will have enough space to carry the 32 bit
> > value. Worst case is we read garbage. And the dump, using this garbage
> > chain index,  will not find the chain or will find some unintended
> > chain. Am i missing something?

Thanks for your replying. 

I investigated the code and yes, as you said, the skb data will carry
a tailing space used for putting `struct skb_shared_info`. Hence, 32
bit is not enough here to conduct an overflow read to next object.

Hence I guess you have not missed anything but I do. For the
CVE-2023-3773, the read value is dumped to user-space so the leak is
direct. But since the chain index is not directly dumped
into userspace. The attacker can only exploit this via a side-channel
manner. Assuming the attacker could create as many chain as he can
(2**32 maybe ;P), then the dump from the garbage chain index will leak
the kernel data indirectly.

> >
> > Can you send me a repro (privately) that actually causes the "heap
> > data leak" if you have one?
> 
> To clarify what triggered me is your tie of this as an exploit and
> quoting CVEs. Maybe not so much net vs net-next.

There may be a misunderstanding here. I didn't write such a side-channel
exploit here and as you point out, this is not an easy and worthy task.
(but If you are asking the exploit for CVE-2023-3773, I will inform you
 when it is send to oss-security)

Anyway, I believe you are right. Given the fact that I ignore the
difficulty of this exploitation, such a bug rather than a vulnerability
should go to net-next instead of net. 

Shall I add any tag from you like Suggested or Reviewed?

> cheers,
> jamal
> 

Thanks
Lin