lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAEnQdOpfJAaQN+D-Wxff13v+gMS5PR8J1TPWCGtKww41=Xt-UA@mail.gmail.com>
Date: Mon, 14 Apr 2025 17:55:38 +0800
From: henry martin <bsdhenrymartin@...il.com>
To: Michal Swiatkowski <michal.swiatkowski@...ux.intel.com>
Cc: saeedm@...dia.com, leon@...nel.org, tariqt@...dia.com, 
	netdev@...r.kernel.org, andrew+netdev@...n.ch, davem@...emloft.net, 
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, amirtz@...dia.com, 
	ayal@...dia.com, linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 1/1] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()

> There is ttc = kvzalloc() before. I think you should call kvfree(ttc)
> before returning. It looks like the same leak is already when
> params->ns_type is unknown.

Thanks for the review and the helpful suggestions!

I've addressed the kvfree(ttc) memory leak issue and updated the logic
accordingly in both code paths. The updated patch has been sent out as v4.

Regards,
Henry


Michal Swiatkowski <michal.swiatkowski@...ux.intel.com> 于2025年4月11日周五 13:34写道:
>
> On Fri, Apr 11, 2025 at 10:29:16AM +0800, Henry Martin wrote:
> > Add NULL check for mlx5_get_flow_namespace() returns in
> > mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
> > NULL pointer dereference.
> >
> > Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
> > Signed-off-by: Henry Martin <bsdhenrymartin@...il.com>
> > ---
> > V2 -> V3: No functional changes, just gathering the patches in a series.
> > V1 -> V2: Add a empty line after the return statement.
> >
> >  drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> > index eb3bd9c7f66e..18cc6960a5c1 100644
> > --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> > +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> > @@ -655,6 +655,9 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
> >       }
> >
> >       ns = mlx5_get_flow_namespace(dev, params->ns_type);
> > +     if (!ns)
> > +             return ERR_PTR(-EOPNOTSUPP);
>
> There is ttc = kvzalloc() before. I think you should call kvfree(ttc)
> before returning. It looks like the same leak is already when
> params->ns_type is unknown.
>
> > +
> >       groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
> >                              &inner_ttc_groups[TTC_GROUPS_DEFAULT];
> >
> > @@ -728,6 +731,9 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
> >       }
> >
> >       ns = mlx5_get_flow_namespace(dev, params->ns_type);
> > +     if (!ns)
> > +             return ERR_PTR(-EOPNOTSUPP);
>
> The same here.
>
> > +
> >       groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
> >                              &ttc_groups[TTC_GROUPS_DEFAULT];
> >
> > --
> > 2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ