lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240709071846.7b113db7@kernel.org>
Date: Tue, 9 Jul 2024 07:18:46 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Kory Maincent <kory.maincent@...tlin.com>
Cc: Andrew Lunn <andrew@...n.ch>, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org, Oleksij Rempel <o.rempel@...gutronix.de>,
 thomas.petazzoni@...tlin.com, "David S. Miller" <davem@...emloft.net>, Eric
 Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH net] net: ethtool: pse-pd: Fix possible null-deref

On Tue,  9 Jul 2024 15:12:01 +0200 Kory Maincent wrote:
> Fix a possible null dereference when a PSE supports both c33 and PoDL, but
> only one of the netlink attributes is specified. The c33 or PoDL PSE
> capabilities are already validated in the ethnl_set_pse_validate() call.
> 
> Signed-off-by: Kory Maincent <kory.maincent@...tlin.com>
> Reported-by: Jakub Kicinski <kuba@...nel.org>
> Closes: https://lore.kernel.org/netdev/20240705184116.13d8235a@kernel.org/
> Fixes: 4d18e3ddf427 ("net: ethtool: pse-pd: Expand pse commands with the PSE PoE interface")
> ---
>  net/ethtool/pse-pd.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ethtool/pse-pd.c b/net/ethtool/pse-pd.c
> index 2c981d443f27..9dc70eb50039 100644
> --- a/net/ethtool/pse-pd.c
> +++ b/net/ethtool/pse-pd.c
> @@ -178,9 +178,9 @@ ethnl_set_pse(struct ethnl_req_info *req_info, struct genl_info *info)
>  
>  	phydev = dev->phydev;
>  	/* These values are already validated by the ethnl_pse_set_policy */
> -	if (pse_has_podl(phydev->psec))
> +	if (tb[ETHTOOL_A_PODL_PSE_ADMIN_CONTROL])
>  		config.podl_admin_control = nla_get_u32(tb[ETHTOOL_A_PODL_PSE_ADMIN_CONTROL]);
> -	if (pse_has_c33(phydev->psec))
> +	if (tb[ETHTOOL_A_C33_PSE_ADMIN_CONTROL])
>  		config.c33_admin_control = nla_get_u32(tb[ETHTOOL_A_C33_PSE_ADMIN_CONTROL]);
>  
>  	/* Return errno directly - PSE has no notification */

At a glance this doesn't follow usual ethtool flow.
If user doesn't specify a value the previous configuration should be
kept. We init config to 0. Is 0 a special value for both those params
which tells drivers "don't change" ?
Normal ethtool flow is to first fill in the data with a ->get() then
modify what user wants to change.

Either we need:
 - an explanation in the commit message how this keeps old config; or
 - a ->get() to keep the previous values; or
 - just reject setting one value but not the other in
   ethnl_set_pse_validate() (assuming it never worked, anyway).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ