diff mbox series

[net] net: dsa: fix a crash if ->get_sset_count() fails

Message ID	YJaSe3RPgn7gKxZv@mwanda (mailing list archive)
State	Accepted
Commit	a269333fa5c0c8e53c92b5a28a6076a28cde3e83
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> Date: Sat, 8 May 2021 16:30:35 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Andrew Lunn <andrew@lunn.ch>, Florian Fainelli <f.fainelli@gmail.com> Cc: Vivien Didelot <vivien.didelot@gmail.com>, Vladimir Oltean <olteanv@gmail.com>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH net] net: dsa: fix a crash if ->get_sset_count() fails Message-ID: <YJaSe3RPgn7gKxZv@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk
Series	[net] net: dsa: fix a crash if ->get_sset_count() fails \| expand [net] net: dsa: fix a crash if ->get_sset_count() fails

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Clearly marked for net
netdev/subject_prefix	success	Link
netdev/cc_maintainers	success	CCed 7 of 7 maintainers
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 37 this patch: 37
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	success	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 17 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 30 this patch: 30
netdev/header_inline	success	Link

Commit Message

Dan Carpenter May 8, 2021, 1:30 p.m. UTC

If ds->ops->get_sset_count() fails then it "count" is a negative error
code such as -EOPNOTSUPP.  Because "i" is an unsigned int, the negative
error code is type promoted to a very high value and the loop will
corrupt memory until the system crashes.

Fix this by checking for error codes and changing the type of "i" to
just int.

Fixes: badf3ada60ab ("net: dsa: Provide CPU port statistics to master netdev")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 net/dsa/master.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Andrew Lunn May 8, 2021, 5:25 p.m. UTC | #1

On Sat, May 08, 2021 at 04:30:35PM +0300, Dan Carpenter wrote:
> If ds->ops->get_sset_count() fails then it "count" is a negative error
> code such as -EOPNOTSUPP.  Because "i" is an unsigned int, the negative
> error code is type promoted to a very high value and the loop will
> corrupt memory until the system crashes.
> 
> Fix this by checking for error codes and changing the type of "i" to
> just int.
> 
> Fixes: badf3ada60ab ("net: dsa: Provide CPU port statistics to master netdev")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Reviewed-by: Andrew Lunn <andrew@lunn.ch>

    Andrew

Florian Fainelli May 8, 2021, 5:31 p.m. UTC | #2

On 5/8/21 6:30 AM, Dan Carpenter wrote:
> If ds->ops->get_sset_count() fails then it "count" is a negative error
> code such as -EOPNOTSUPP.  Because "i" is an unsigned int, the negative
> error code is type promoted to a very high value and the loop will
> corrupt memory until the system crashes.
> 
> Fix this by checking for error codes and changing the type of "i" to
> just int.
> 
> Fixes: badf3ada60ab ("net: dsa: Provide CPU port statistics to master netdev")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>

Vladimir Oltean May 8, 2021, 6:32 p.m. UTC | #3

On Sat, May 08, 2021 at 04:30:35PM +0300, Dan Carpenter wrote:
> If ds->ops->get_sset_count() fails then it "count" is a negative error
> code such as -EOPNOTSUPP.  Because "i" is an unsigned int, the negative
> error code is type promoted to a very high value and the loop will
> corrupt memory until the system crashes.
> 
> Fix this by checking for error codes and changing the type of "i" to
> just int.
> 
> Fixes: badf3ada60ab ("net: dsa: Provide CPU port statistics to master netdev")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---

Reviewed-by: Vladimir Oltean <olteanv@gmail.com>

patchwork-bot+netdevbpf@kernel.org May 10, 2021, 9:40 p.m. UTC | #4

Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Sat, 8 May 2021 16:30:35 +0300 you wrote:
> If ds->ops->get_sset_count() fails then it "count" is a negative error
> code such as -EOPNOTSUPP.  Because "i" is an unsigned int, the negative
> error code is type promoted to a very high value and the loop will
> corrupt memory until the system crashes.
> 
> Fix this by checking for error codes and changing the type of "i" to
> just int.
> 
> [...]

Here is the summary with links:
  - [net] net: dsa: fix a crash if ->get_sset_count() fails
    https://git.kernel.org/netdev/net/c/a269333fa5c0

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

diff mbox series

Patch

diff --git a/net/dsa/master.c b/net/dsa/master.c
index 052a977914a6..63adbc21a735 100644
--- a/net/dsa/master.c
+++ b/net/dsa/master.c
@@ -147,8 +147,7 @@  static void dsa_master_get_strings(struct net_device *dev, uint32_t stringset,
 	struct dsa_switch *ds = cpu_dp->ds;
 	int port = cpu_dp->index;
 	int len = ETH_GSTRING_LEN;
-	int mcount = 0, count;
-	unsigned int i;
+	int mcount = 0, count, i;
 	uint8_t pfx[4];
 	uint8_t *ndata;
 
@@ -178,6 +177,8 @@  static void dsa_master_get_strings(struct net_device *dev, uint32_t stringset,
 		 */
 		ds->ops->get_strings(ds, port, stringset, ndata);
 		count = ds->ops->get_sset_count(ds, port, stringset);
+		if (count < 0)
+			return;
 		for (i = 0; i < count; i++) {
 			memmove(ndata + (i * len + sizeof(pfx)),
 				ndata + i * len, len - sizeof(pfx));