| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Nov 2023 19:49:00 +0530
From: Yuran Pereira <yuran.pereira@...mail.com>
To: gregkh@...uxfoundation.org,
yuran.pereira@...mail.com
Cc: bcm-kernel-feedback-list@...adcom.com,
davem@...emloft.net,
edumazet@...gle.com,
florian.fainelli@...adcom.com,
justin.chen@...adcom.com,
kuba@...nel.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
pabeni@...hat.com
Subject: Re: [PATCH] Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr
On a second thought, it might not be a good idea to return
an error without modifying the caller, since the caller of
this function currently uses this return value without checking
if it's an error.
I guess that explains why the first check returns 0.
```
static int bcmasp_netfilt_wr_m_wake(struct bcmasp_priv *priv,
...
{
...
if (first_byte && (!IS_ALIGNED(offset, 4) || size < 3)) {
match_val = bcmasp_netfilt_rd(priv, nfilt,
ASP_NETFILT_MATCH,
ALIGN_DOWN(offset, 4));
mask_val = bcmasp_netfilt_rd(priv, nfilt,
ASP_NETFILT_MASK,
ALIGN_DOWN(offset, 4));
}
shift = (3 - (offset % 4)) * 8;
match_val &= ~GENMASK(shift + 7, shift);
mask_val &= ~GENMASK(shift + 7, shift);
match_val |= (u32)(*((u8 *)match) << shift);
mask_val |= (u32)(*((u8 *)mask) << shift);
```
Powered by blists - more mailing lists