From patchwork Mon Mar 17 09:04:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Seiderer X-Patchwork-Id: 14018988 X-Patchwork-Delegate: kuba@kernel.org Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36B5E3AC17; Mon, 17 Mar 2025 09:04:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.17.22 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742202257; cv=none; b=B3RKawnS5P8FDJ8ReCel3KyOF3bvNRkT1AVFYOM5pN1SJ0ufBsSaXC5HfMzJ1R2bdcZ/wlobbQP13T+Kzn9HTPhX25b1vAQ0CoB/YBWQW3uxUetlFDPOX0o79Te2kKQpNAHJ4f1BdkmowOBAeFKQ+TpZJGrfiTM8Z1LSB5yutP4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742202257; c=relaxed/simple; bh=BtV7ZrSR7GQNLdQOsdCK9tMWgq9b8VO/0Qt6zIyM9Z0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=UXkpAGPtHTMCnPKOnPInwG2C5kA1SN4dgXdCE89PdXQnRDK3CP0L0g630z1hvuwavtiLNXcpGDyUv9+SktYClbJ1HWgyNhrVdATxQHMkRlHMGQhV7vw1EGb5mXg6Z8JU5Pr+oEeIT2avpx+qVxqjj5Qcfu1HJt/mKStvala4yrA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net; spf=pass smtp.mailfrom=gmx.net; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b=JbL6XZe2; arc=none smtp.client-ip=212.227.17.22 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b="JbL6XZe2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1742202250; x=1742807050; i=ps.report@gmx.net; bh=BtV7ZrSR7GQNLdQOsdCK9tMWgq9b8VO/0Qt6zIyM9Z0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID: MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=JbL6XZe2wChG9gJOTEEh90w8slWS0Z2DjOih2RZF4pmbgUuN2ZQQVczv7gg+zUWB dUYMfkMzEKDK2FHCReQWaNkZOCiVCtCCNaF/13davsPEtU7Sw23iOamVonnieqIfL mdUDTbRYpCjN5lduxZk/UWNCkbLXUTbPH8REJN30CiDVIqmmKE11iOlSPD37PAgsf quGT1sWKoSf6HZk/Ka8/sdp2QbxUWDYO0z/7xlXUENFL2KhNYIjmLj5GFLlYIt/9g rzjlxAMGwPkH4kzvR5JOuks0mBVZA5aNVVor5x0PM4gmAzHqvxDjpyNULoUdx3DdP 9N4OmiC8q0YbsmoAjA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from localhost.fritz.box ([82.135.81.158]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MgvvJ-1tHDCp2L5Z-00mZOc; Mon, 17 Mar 2025 10:04:10 +0100 From: Peter Seiderer To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Dan Carpenter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , Peter Seiderer Subject: [PATCH net-next v1 1/2] net: pktgen: add strict buffer parsing index check Date: Mon, 17 Mar 2025 10:04:00 +0100 Message-ID: <20250317090401.1240704-1-ps.report@gmx.net> X-Mailer: git-send-email 2.48.1 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Provags-ID: V03:K1:lKpMuL1MIjGDQau+Hv2X9RMq4jhxMkCqgfy01wvfn2E8wT0W1In GHHzdcf6d439S//6zXEJ/JIdFiJzKw4t04fZZElHr5zKGReW82Ni+sqxdTJojhYO6F1Wsub w5eqijzQX059VgyoyO3tuiqHaSC0/r7E4A4P2h387Z6LqF4xzkwoCn7U1wvYezynmpeVIZc LP+qwnY9gIGXl5pURQhfw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:jz0iReNbelo=;sf+zMQiNykp90OeFSNbQdB1R+k6 Vd08mehPYF5x7xHFD/8wZBVOv3olvRReVFxUBWS8d7gxE9ch8T1vur++m3EbxRBrVTMlmM3PJ lbrnG6DBODrSodpE4706UzXbj5YEKWZRH79V/jxwTLkQF7msR7cCFKaRmvM/mTrhuNy26xPQs v+VTxAtgoCsKdTvTMWEI/QzRBWmojLPIvmrozQkoRgnIvkAz5bOdEuhJ1aGs1jo4tOLcltmAQ c6vwU7I2VxHrHpd+zplYzZ87wP/XJ6UwTSKh59ulF8urN2msdQj4IBSQeUGG5sRFCcjQzP3ps Vq3N2S1d8PtResuxHeSGrE3AGWKAiA8JHQWuz1JIYaheZCxzt3lCf8uzoqRnWsFD+b19cJ+W9 88cKBx/FR3s/RWO24KYkXyJxO8XCOIb8x1upFmJahRIlbR/NlFalgxMpzbiaPHVyddwd5STGa CStIy5xRLecG2/Wp3iwcBDhTA7fpTW7VYIxWQKuR9yQsNiE7U3A4NTfxYkDijTyhYcOnzFAEq S9d7Oo/5ag/+2jtl2Ak2+pXZc35FpzyrPuDlR4jyPNcP2UwF3GUWwv/qnE9VKh167kXQZp89k FzvLYEJ10Pxb+SYDky1c9t7UfLifMZAO5oUmF+9V5OxVMWaWPq0YkMCqqWMOIWS2wlgDYLaKH 9UsVT42efOSzuMxGxKfGwT/ZG1V5QlbYZXemNR1qD7AXRfKeYEsItOneM5z+gOCmS0q+BYt6Z Vh9VB8icp9PI/Jq+8UQtfZbtFeJhS4oQ5klrm+hAX/SmMZ2RKZ6pydDHzybcvVqarWSIuIs1k xyiOIRi9ejFmSuXhmVGfDqiOhkmrX+LEIjKA/gGXlIBwsh4N+FpgsJB8SrMtt3/NpmrBXuQwK lcmnG+XtnvdtepnFNQaiUK7WrLzFYWYMQmznEXgl+KcjTJ+mEW+orezXP//4Nz48wQc3HJqcF a5fT109XY4kQwqLl9Fx4ve71tEE2RaAnJsgoA09ZbuxC6ILlTUh5i5cW1qFWVvMy82EtWDKjG VGapzB3YMUToWAAXElv0PZJWYMARIisBBE3f3nKARh9JYqFKDNPHWoVonR3FeJjyC/KqFroTW 41UZ4OEzmsLA15E1YKbazfqC/Eey5Jezsk9sAuqXtSqYLQTVGeWRxKYLmUDqMs73Sl/HEpM7h aJVGkcrsTDpRDB+Ls7TOBVGuT8Gs/Aylyt57bsShUsoXz54K78RlNTbyXutnGxsEMloOqlSTM Xkw1TkQpCP4zHa1JpGF/q4ClTlqEsWQrCKMc1RePQZCJiW3Hvzw3hzro7jW0mPUc5mMkDq44K JJ0yot0NBuHIHGZCgR35BNVpzgI3fI5KBoxdj7VkdKyXjY4L220EHt9IxqoQ888il6M1jBLzC I20aHDg8PWh4mmOfoWUc/nKce4koMhV1vTfWi3OmFFT9PMuppXDNnzQ8iwUEPPvF3Jwl/ix6/ YA507OjRad21Yeqp/YDwfydwuJ7U= X-Patchwork-Delegate: kuba@kernel.org Add strict buffer parsing index check to avoid the following Smatch warning: net/core/pktgen.c:877 get_imix_entries() warn: check that incremented offset 'i' is capped Checking the buffer index i after every get_user/i++ step and returning with error code immediately avoids the current indirect (but correct) error handling. Reported-by: Dan Carpenter Closes: https://lore.kernel.org/netdev/36cf3ee2-38b1-47e5-a42a-363efeb0ace3@stanley.mountain/ Signed-off-by: Peter Seiderer --- net/core/pktgen.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index e850598db3e7..fe7fdefab994 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -856,6 +856,9 @@ static ssize_t get_imix_entries(const char __user *buffer, if (pkt_dev->n_imix_entries >= MAX_IMIX_ENTRIES) return -E2BIG; + if (i >= maxlen) + return -EINVAL; + max = min(10, maxlen - i); len = num_arg(&buffer[i], max, &size); if (len < 0) @@ -869,6 +872,8 @@ static ssize_t get_imix_entries(const char __user *buffer, if (c != ',') return -EINVAL; i++; + if (i >= maxlen) + return -EINVAL; if (size < 14 + 20 + 8) size = 14 + 20 + 8; @@ -911,6 +916,9 @@ static ssize_t get_labels(const char __user *buffer, if (n >= MAX_MPLS_LABELS) return -E2BIG; + if (i >= maxlen) + return -EINVAL; + max = min(8, maxlen - i); len = hex32_arg(&buffer[i], max, &tmp); if (len < 0)