| Message ID | 20231211083758.1082853-1-jiri@resnulli.us (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 65c95f78917ea6fa7ff189a2c19879c4fe161873 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set() | expand |
On 11/12/2023 08:37, Jiri Pirko wrote: > From: Jiri Pirko <jiri@nvidia.com> > > User may not pass DPLL_A_PIN_STATE attribute in the pin set operation > message. Sanitize that by checking if the attr pointer is not null > and process the passed state attribute value only in that case. > > Reported-by: Xingyuan Mo <hdthky0@gmail.com> > Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions") > Signed-off-by: Jiri Pirko <jiri@nvidia.com> > --- > drivers/dpll/dpll_netlink.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c > index 442a0ebeb953..ce7cf736f020 100644 > --- a/drivers/dpll/dpll_netlink.c > +++ b/drivers/dpll/dpll_netlink.c > @@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, > struct netlink_ext_ack *extack) > { > struct nlattr *tb[DPLL_A_PIN_MAX + 1]; > - enum dpll_pin_state state; > u32 ppin_idx; > int ret; > > @@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, > return -EINVAL; > } > ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]); > - state = nla_get_u32(tb[DPLL_A_PIN_STATE]); > - ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); > - if (ret) > - return ret; > + > + if (tb[DPLL_A_PIN_STATE]) { > + enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]); > + > + ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); > + if (ret) > + return ret; > + } > > return 0; > } I don't believe that "set" command without set value should return 0 meaning "request was completed successfully". Maybe it's better to add another check like for DPLL_A_PIN_PARENT_ID and fill extack with description?
Mon, Dec 11, 2023 at 11:46:24AM CET, vadim.fedorenko@linux.dev wrote: >On 11/12/2023 08:37, Jiri Pirko wrote: >> From: Jiri Pirko <jiri@nvidia.com> >> >> User may not pass DPLL_A_PIN_STATE attribute in the pin set operation >> message. Sanitize that by checking if the attr pointer is not null >> and process the passed state attribute value only in that case. >> >> Reported-by: Xingyuan Mo <hdthky0@gmail.com> >> Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions") >> Signed-off-by: Jiri Pirko <jiri@nvidia.com> >> --- >> drivers/dpll/dpll_netlink.c | 13 ++++++++----- >> 1 file changed, 8 insertions(+), 5 deletions(-) >> >> diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c >> index 442a0ebeb953..ce7cf736f020 100644 >> --- a/drivers/dpll/dpll_netlink.c >> +++ b/drivers/dpll/dpll_netlink.c >> @@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, >> struct netlink_ext_ack *extack) >> { >> struct nlattr *tb[DPLL_A_PIN_MAX + 1]; >> - enum dpll_pin_state state; >> u32 ppin_idx; >> int ret; >> @@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, >> return -EINVAL; >> } >> ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]); >> - state = nla_get_u32(tb[DPLL_A_PIN_STATE]); >> - ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); >> - if (ret) >> - return ret; >> + >> + if (tb[DPLL_A_PIN_STATE]) { >> + enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]); >> + >> + ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); >> + if (ret) >> + return ret; >> + } >> return 0; >> } > >I don't believe that "set" command without set value should return 0 >meaning "request was completed successfully". Maybe it's better to add >another check like for DPLL_A_PIN_PARENT_ID and fill extack with >description? Please see dpll_pin_parent_device_set(). State here is treated exactly the same as there. It makes sense during set operation to process only the attributes that are passed. In the future, dpll_pin_parent_pin_set() can process more attributes, lets be prepared for that.
On 11/12/2023 11:43, Jiri Pirko wrote: > Mon, Dec 11, 2023 at 11:46:24AM CET, vadim.fedorenko@linux.dev wrote: >> On 11/12/2023 08:37, Jiri Pirko wrote: >>> From: Jiri Pirko <jiri@nvidia.com> >>> >>> User may not pass DPLL_A_PIN_STATE attribute in the pin set operation >>> message. Sanitize that by checking if the attr pointer is not null >>> and process the passed state attribute value only in that case. >>> >>> Reported-by: Xingyuan Mo <hdthky0@gmail.com> >>> Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions") >>> Signed-off-by: Jiri Pirko <jiri@nvidia.com> >>> --- >>> drivers/dpll/dpll_netlink.c | 13 ++++++++----- >>> 1 file changed, 8 insertions(+), 5 deletions(-) >>> >>> diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c >>> index 442a0ebeb953..ce7cf736f020 100644 >>> --- a/drivers/dpll/dpll_netlink.c >>> +++ b/drivers/dpll/dpll_netlink.c >>> @@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, >>> struct netlink_ext_ack *extack) >>> { >>> struct nlattr *tb[DPLL_A_PIN_MAX + 1]; >>> - enum dpll_pin_state state; >>> u32 ppin_idx; >>> int ret; >>> @@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, >>> return -EINVAL; >>> } >>> ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]); >>> - state = nla_get_u32(tb[DPLL_A_PIN_STATE]); >>> - ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); >>> - if (ret) >>> - return ret; >>> + >>> + if (tb[DPLL_A_PIN_STATE]) { >>> + enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]); >>> + >>> + ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); >>> + if (ret) >>> + return ret; >>> + } >>> return 0; >>> } >> >> I don't believe that "set" command without set value should return 0 >> meaning "request was completed successfully". Maybe it's better to add >> another check like for DPLL_A_PIN_PARENT_ID and fill extack with >> description? > > Please see dpll_pin_parent_device_set(). State here is treated exactly > the same as there. It makes sense during set operation to process only > the attributes that are passed. In the future, dpll_pin_parent_pin_set() > can process more attributes, lets be prepared for that. Ok, let's be ready. Acked-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Mon, 11 Dec 2023 09:37:58 +0100 you wrote: > From: Jiri Pirko <jiri@nvidia.com> > > User may not pass DPLL_A_PIN_STATE attribute in the pin set operation > message. Sanitize that by checking if the attr pointer is not null > and process the passed state attribute value only in that case. > > Reported-by: Xingyuan Mo <hdthky0@gmail.com> > Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions") > Signed-off-by: Jiri Pirko <jiri@nvidia.com> > > [...] Here is the summary with links: - [net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set() https://git.kernel.org/netdev/net/c/65c95f78917e You are awesome, thank you!
diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c index 442a0ebeb953..ce7cf736f020 100644 --- a/drivers/dpll/dpll_netlink.c +++ b/drivers/dpll/dpll_netlink.c @@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, struct netlink_ext_ack *extack) { struct nlattr *tb[DPLL_A_PIN_MAX + 1]; - enum dpll_pin_state state; u32 ppin_idx; int ret; @@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest, return -EINVAL; } ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]); - state = nla_get_u32(tb[DPLL_A_PIN_STATE]); - ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); - if (ret) - return ret; + + if (tb[DPLL_A_PIN_STATE]) { + enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]); + + ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack); + if (ret) + return ret; + } return 0; }