lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 4 Mar 2021 10:16:02 +0000
From:   Colin Ian King <colin.king@...onical.com>
To:     Xiaoliang Yang <xiaoliang.yang_1@....com>
Cc:     Vladimir Oltean <vladimir.oltean@....com>,
        Claudiu Manoil <claudiu.manoil@....com>,
        Alexandre Belloni <alexandre.belloni@...tlin.com>,
        UNGLinuxDriver@...rochip.com,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: net: mscc: ocelot: issue with uninitialized pointer read in
 ocelot_flower_parse_key

Hi,

Static analysis with Coverity had detected an uninitialized pointer read
in function ocelot_flower_parse_key in
drivers/net/ethernet/mscc/ocelot_flower.c introduced by commit:

commit 75944fda1dfe836fdd406bef6cb3cc8a80f7af83
Author: Xiaoliang Yang <xiaoliang.yang_1@....com>
Date:   Fri Oct 2 15:02:23 2020 +0300

    net: mscc: ocelot: offload ingress skbedit and vlan actions to VCAP IS1

The analysis is as follows:

531

   10. Condition flow_rule_match_key(rule,
FLOW_DISSECTOR_KEY_IPV4_ADDRS), taking true branch.
   11. Condition proto == 2048, taking true branch.

532        if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV4_ADDRS) &&
533            proto == ETH_P_IP) {

   12. var_decl: Declaring variable match without initializer.

534                struct flow_match_ipv4_addrs match;
535                u8 *tmp;
536

   13. Condition filter->block_id == VCAP_ES0, taking false branch.

537                if (filter->block_id == VCAP_ES0) {
538                        NL_SET_ERR_MSG_MOD(extack,
539                                           "VCAP ES0 cannot match on
IP address");
540                        return -EOPNOTSUPP;
541                }
542

   14. Condition filter->block_id == VCAP_IS1, taking true branch.
   Uninitialized pointer read (UNINIT)
   15. uninit_use: Using uninitialized value match.mask.

543                if (filter->block_id == VCAP_IS1 && *(u32
*)&match.mask->dst) {
544                        NL_SET_ERR_MSG_MOD(extack,
545                                           "Key type S1_NORMAL cannot
match on destination IP");
546                        return -EOPNOTSUPP;
547                }

match is declared in line 534 and is not initialized and the
uninitialized match.mask is being dereferenced on line 543. Not sure
what intent was on this and how to fix, hence I'm reporting this issue.

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ