lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180215183139.GA23076@embeddedor.com>
Date:   Thu, 15 Feb 2018 12:31:39 -0600
From:   "Gustavo A. R. Silva" <garsilva@...eddedor.com>
To:     Brandon Streiff <brandon.streiff@...com>,
        Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...oirfairelinux.com>,
        Florian Fainelli <f.fainelli@...il.com>
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        "Gustavo A. R. Silva" <garsilva@...eddedor.com>
Subject: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative
 array index read

_port_ is being used as index to array port_hwtstamp before verifying
it is a non-negative number and a valid index at line 209 and 258:

if (port < 0 || port >= mv88e6xxx_num_ports(chip))

Fix this by checking _port_ before using it as index to array
port_hwtstamp.

Addresses-Coverity-ID: 1465287 ("Negative array index read")
Addresses-Coverity-ID: 1465291 ("Negative array index read")
Fixes: c6fe0ad2c349 ("net: dsa: mv88e6xxx: add rx/tx timestamping support")
Signed-off-by: Gustavo A. R. Silva <garsilva@...eddedor.com>
---
Changes in v2:
 -Fix the same issue in mv88e6xxx_should_tstamp.
 -Update commit message.

 drivers/net/dsa/mv88e6xxx/hwtstamp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/hwtstamp.c b/drivers/net/dsa/mv88e6xxx/hwtstamp.c
index b251d53..5a665aa 100644
--- a/drivers/net/dsa/mv88e6xxx/hwtstamp.c
+++ b/drivers/net/dsa/mv88e6xxx/hwtstamp.c
@@ -200,8 +200,8 @@ int mv88e6xxx_port_hwtstamp_get(struct dsa_switch *ds, int port,
 				struct ifreq *ifr)
 {
 	struct mv88e6xxx_chip *chip = ds->priv;
-	struct mv88e6xxx_port_hwtstamp *ps = &chip->port_hwtstamp[port];
-	struct hwtstamp_config *config = &ps->tstamp_config;
+	struct mv88e6xxx_port_hwtstamp *ps;
+	struct hwtstamp_config *config;
 
 	if (!chip->info->ptp_support)
 		return -EOPNOTSUPP;
@@ -209,6 +209,9 @@ int mv88e6xxx_port_hwtstamp_get(struct dsa_switch *ds, int port,
 	if (port < 0 || port >= mv88e6xxx_num_ports(chip))
 		return -EINVAL;
 
+	ps = &chip->port_hwtstamp[port];
+	config = &ps->tstamp_config;
+
 	return copy_to_user(ifr->ifr_data, config, sizeof(*config)) ?
 		-EFAULT : 0;
 }
@@ -249,7 +252,7 @@ static u8 *parse_ptp_header(struct sk_buff *skb, unsigned int type)
 static u8 *mv88e6xxx_should_tstamp(struct mv88e6xxx_chip *chip, int port,
 				   struct sk_buff *skb, unsigned int type)
 {
-	struct mv88e6xxx_port_hwtstamp *ps = &chip->port_hwtstamp[port];
+	struct mv88e6xxx_port_hwtstamp *ps;
 	u8 *hdr;
 
 	if (!chip->info->ptp_support)
@@ -262,6 +265,7 @@ static u8 *mv88e6xxx_should_tstamp(struct mv88e6xxx_chip *chip, int port,
 	if (!hdr)
 		return NULL;
 
+	ps = &chip->port_hwtstamp[port];
 	if (!test_bit(MV88E6XXX_HWTSTAMP_ENABLED, &ps->state))
 		return NULL;
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ