diff mbox series

net/dsa: fix oob in dsa_user_prechangeupper

Message ID tencent_293767377D86CBF3726365497A43BD445205@qq.com (mailing list archive)
State Rejected
Delegated to: Netdev Maintainers
Headers show
Series net/dsa: fix oob in dsa_user_prechangeupper | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1092 this patch: 1092
netdev/cc_maintainers success CCed 0 of 0 maintainers
netdev/build_clang success Errors and warnings before: 1107 this patch: 1107
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1107 this patch: 1107
netdev/checkpatch fail ERROR: trailing whitespace
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Edward Adam Davis Jan. 16, 2024, 2:56 p.m. UTC 
If the private data is not allocated memory when generating an instance of 
struct net_device, i.e. priv_size is too small, then its corresponding private
data should not be accessed.

Reported-and-tested-by: syzbot+7ec955e36bb239bd720f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 net/dsa/user.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Vladimir Oltean Jan. 16, 2024, 3:31 p.m. UTC | #1 
On Tue, Jan 16, 2024 at 10:56:26PM +0800, Edward Adam Davis wrote:
> If the private data is not allocated memory when generating an instance of 
> struct net_device, i.e. priv_size is too small, then its corresponding private
> data should not be accessed.
> 
> Reported-and-tested-by: syzbot+7ec955e36bb239bd720f@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  net/dsa/user.h | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/dsa/user.h b/net/dsa/user.h
> index 996069130bea..9a40918ee7fc 100644
> --- a/net/dsa/user.h
> +++ b/net/dsa/user.h
> @@ -53,7 +53,11 @@ int dsa_user_manage_vlan_filtering(struct net_device *dev,
>  
>  static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
>  {
> -	struct dsa_user_priv *p = netdev_priv(dev);
> +	const struct rtnl_link_ops *ops = dev->rtnl_link_ops;
> +	struct dsa_user_priv *p = ops->priv_size >= sizeof(*p) ? 
> +		netdev_priv(dev) : NULL;
> +	if (!p)
> +		return NULL;
>  
>  	return p->dp;
>  }
> -- 
> 2.43.0
> 

The problem has been fixed by:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=844f104790bd

pw-bot: rejected
diff mbox series

Patch

diff --git a/net/dsa/user.h b/net/dsa/user.h
index 996069130bea..9a40918ee7fc 100644
--- a/net/dsa/user.h
+++ b/net/dsa/user.h
@@ -53,7 +53,11 @@  int dsa_user_manage_vlan_filtering(struct net_device *dev,
 
 static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
 {
-	struct dsa_user_priv *p = netdev_priv(dev);
+	const struct rtnl_link_ops *ops = dev->rtnl_link_ops;
+	struct dsa_user_priv *p = ops->priv_size >= sizeof(*p) ? 
+		netdev_priv(dev) : NULL;
+	if (!p)
+		return NULL;
 
 	return p->dp;
 }