[net] net: ethtool: pse-pd: Fix possible null-deref

Message ID	20240709131201.166421-1-kory.maincent@bootlin.com (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F288382; Tue, 9 Jul 2024 13:12:05 +0000 (UTC) From: Kory Maincent <kory.maincent@bootlin.com> To: "Kory Maincent (Dent Project)" <kory.maincent@bootlin.com>, Jakub Kicinski <kuba@kernel.org>, Andrew Lunn <andrew@lunn.ch>, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Oleksij Rempel <o.rempel@pengutronix.de>, thomas.petazzoni@bootlin.com, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com> Subject: [PATCH net] net: ethtool: pse-pd: Fix possible null-deref Date: Tue, 9 Jul 2024 15:12:01 +0200 Message-Id: <20240709131201.166421-1-kory.maincent@bootlin.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[net] net: ethtool: pse-pd: Fix possible null-deref \| expand [net] net: ethtool: pse-pd: Fix possible null-deref

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 833 this patch: 833
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 6 of 6 maintainers
netdev/build_clang	success	Errors and warnings before: 835 this patch: 835
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 835 this patch: 835
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Kory Maincent July 9, 2024, 1:12 p.m. UTC

Fix a possible null dereference when a PSE supports both c33 and PoDL, but
only one of the netlink attributes is specified. The c33 or PoDL PSE
capabilities are already validated in the ethnl_set_pse_validate() call.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netdev/20240705184116.13d8235a@kernel.org/
Fixes: 4d18e3ddf427 ("net: ethtool: pse-pd: Expand pse commands with the PSE PoE interface")
---
 net/ethtool/pse-pd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Jakub Kicinski July 9, 2024, 2:18 p.m. UTC | #1

On Tue,  9 Jul 2024 15:12:01 +0200 Kory Maincent wrote:
> Fix a possible null dereference when a PSE supports both c33 and PoDL, but
> only one of the netlink attributes is specified. The c33 or PoDL PSE
> capabilities are already validated in the ethnl_set_pse_validate() call.
> 
> Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
> Reported-by: Jakub Kicinski <kuba@kernel.org>
> Closes: https://lore.kernel.org/netdev/20240705184116.13d8235a@kernel.org/
> Fixes: 4d18e3ddf427 ("net: ethtool: pse-pd: Expand pse commands with the PSE PoE interface")
> ---
>  net/ethtool/pse-pd.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ethtool/pse-pd.c b/net/ethtool/pse-pd.c
> index 2c981d443f27..9dc70eb50039 100644
> --- a/net/ethtool/pse-pd.c
> +++ b/net/ethtool/pse-pd.c
> @@ -178,9 +178,9 @@ ethnl_set_pse(struct ethnl_req_info *req_info, struct genl_info *info)
>  
>  	phydev = dev->phydev;
>  	/* These values are already validated by the ethnl_pse_set_policy */
> -	if (pse_has_podl(phydev->psec))
> +	if (tb[ETHTOOL_A_PODL_PSE_ADMIN_CONTROL])
>  		config.podl_admin_control = nla_get_u32(tb[ETHTOOL_A_PODL_PSE_ADMIN_CONTROL]);
> -	if (pse_has_c33(phydev->psec))
> +	if (tb[ETHTOOL_A_C33_PSE_ADMIN_CONTROL])
>  		config.c33_admin_control = nla_get_u32(tb[ETHTOOL_A_C33_PSE_ADMIN_CONTROL]);
>  
>  	/* Return errno directly - PSE has no notification */

At a glance this doesn't follow usual ethtool flow.
If user doesn't specify a value the previous configuration should be
kept. We init config to 0. Is 0 a special value for both those params
which tells drivers "don't change" ?
Normal ethtool flow is to first fill in the data with a ->get() then
modify what user wants to change.

Either we need:
 - an explanation in the commit message how this keeps old config; or
 - a ->get() to keep the previous values; or
 - just reject setting one value but not the other in
   ethnl_set_pse_validate() (assuming it never worked, anyway).

Kory Maincent July 9, 2024, 2:43 p.m. UTC | #2

On Tue, 9 Jul 2024 07:18:46 -0700
Jakub Kicinski <kuba@kernel.org> wrote:

> > -	if (pse_has_podl(phydev->psec))
> > +	if (tb[ETHTOOL_A_PODL_PSE_ADMIN_CONTROL])
> >  		config.podl_admin_control =
> > nla_get_u32(tb[ETHTOOL_A_PODL_PSE_ADMIN_CONTROL]);
> > -	if (pse_has_c33(phydev->psec))
> > +	if (tb[ETHTOOL_A_C33_PSE_ADMIN_CONTROL])
> >  		config.c33_admin_control =
> > nla_get_u32(tb[ETHTOOL_A_C33_PSE_ADMIN_CONTROL]); 
> >  	/* Return errno directly - PSE has no notification */  
> 
> At a glance this doesn't follow usual ethtool flow.
> If user doesn't specify a value the previous configuration should be
> kept. We init config to 0. Is 0 a special value for both those params
> which tells drivers "don't change" ?

Mmh in case of a PSE controller supporting PoE or PoDL on its ports, a 0 config
value will return a ENOTSUPP error from the PSE core. We might have an issue in
that case which doesn't exist for now as there is no such controller.

As a PSE port can't be PoE and PoDL maybe the PSE type should be related to the
PSE port and not the full PSE driver.

> Normal ethtool flow is to first fill in the data with a ->get() then
> modify what user wants to change.
> 
> Either we need:
>  - an explanation in the commit message how this keeps old config; or
>  - a ->get() to keep the previous values; or
>  - just reject setting one value but not the other in
>    ethnl_set_pse_validate() (assuming it never worked, anyway).

In fact it is the contrary we can't set both value at the same time because a
PSE port can't be a PoE and a PoDL power interface at the same time.

Regards,

Jakub Kicinski July 9, 2024, 3:52 p.m. UTC | #3

On Tue, 9 Jul 2024 16:43:05 +0200 Kory Maincent wrote:
> > Normal ethtool flow is to first fill in the data with a ->get() then
> > modify what user wants to change.
> > 
> > Either we need:
> >  - an explanation in the commit message how this keeps old config; or
> >  - a ->get() to keep the previous values; or
> >  - just reject setting one value but not the other in
> >    ethnl_set_pse_validate() (assuming it never worked, anyway).  
> 
> In fact it is the contrary we can't set both value at the same time because a
> PSE port can't be a PoE and a PoDL power interface at the same time.

In that case maybe we should have an inverse condition in validate, too?
Something like:

	if ((pse_has_podl(phydev->psec) &&
	     GENL_REQ_ATTR_CHECK(info, ETHTOOL_A_PODL_PSE_ADMIN_CONTROL)) ||
	    (pse_has_c33(phydev->psec) &&
	     GENL_REQ_ATTR_CHECK(info, ETHTOOL_A_C33_PSE_ADMIN_CONTROL)))
		return -EINVAL;

GENL_REQ_ATTR_CHECK will set the extack for us.

Kory Maincent July 9, 2024, 4:33 p.m. UTC | #4

On Tue, 9 Jul 2024 08:52:05 -0700
Jakub Kicinski <kuba@kernel.org> wrote:

> On Tue, 9 Jul 2024 16:43:05 +0200 Kory Maincent wrote:
> > > Normal ethtool flow is to first fill in the data with a ->get() then
> > > modify what user wants to change.
> > > 
> > > Either we need:
> > >  - an explanation in the commit message how this keeps old config; or
> > >  - a ->get() to keep the previous values; or
> > >  - just reject setting one value but not the other in
> > >    ethnl_set_pse_validate() (assuming it never worked, anyway).    
> > 
> > In fact it is the contrary we can't set both value at the same time because
> > a PSE port can't be a PoE and a PoDL power interface at the same time.  
> 
> In that case maybe we should have an inverse condition in validate, too?
> Something like:
> 
> 	if ((pse_has_podl(phydev->psec) &&
> 	     GENL_REQ_ATTR_CHECK(info, ETHTOOL_A_PODL_PSE_ADMIN_CONTROL)) ||
> 	    (pse_has_c33(phydev->psec) &&
> 	     GENL_REQ_ATTR_CHECK(info, ETHTOOL_A_C33_PSE_ADMIN_CONTROL)))
> 		return -EINVAL;
> 
> GENL_REQ_ATTR_CHECK will set the extack for us.

I don't think it will work.
In a case a PSE controller have one PoDL port and one PoE port.
Your code will always return EINVAL if we try to set the config of only one of
those ports. 

I think the patch I sent plus a change in pse-pd core to do nothing in case of
an empty config will do.

Regards,

[net] net: ethtool: pse-pd: Fix possible null-deref

Checks

Commit Message

Comments

Patch