| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210722200544.qvl3sj57qph2whrw@skbuf>
Date: Thu, 22 Jul 2021 23:05:44 +0300
From: Vladimir Oltean <olteanv@...il.com>
To: Colin King <colin.king@...onical.com>
Cc: Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Florian Fainelli <f.fainelli@...il.com>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH][next] net: dsa: sja1105: remove redundant re-assignment
of pointer table
On Thu, Jul 22, 2021 at 08:15:29PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@...onical.com>
>
> The pointer table is being re-assigned with a value that is never
> read. The assignment is redundant and can be removed.
>
> Addresses-Coverity: ("Unused value")
> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> ---
> drivers/net/dsa/sja1105/sja1105_main.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
> index 6618abba23b3..c65dba3111d7 100644
> --- a/drivers/net/dsa/sja1105/sja1105_main.c
> +++ b/drivers/net/dsa/sja1105/sja1105_main.c
> @@ -2157,8 +2157,6 @@ static int sja1105_build_vlan_table(struct sja1105_private *priv)
> if (!new_vlan)
> return -ENOMEM;
>
> - table = &priv->static_config.tables[BLK_IDX_VLAN_LOOKUP];
> -
> for (i = 0; i < VLAN_N_VID; i++)
> new_vlan[i].vlanid = VLAN_N_VID;
>
> --
> 2.31.1
>
Oh my, what an interesting bug you uncovered.
That duplicate assignment was introduced in commit 3f01c91aab92 ("net:
dsa: sja1105: implement VLAN retagging for dsa_8021q sub-VLANs") and
used to read:
table = &priv->static_config.tables[BLK_IDX_VLAN_LOOKUP];
new_retagging = kcalloc(SJA1105_MAX_RETAGGING_COUNT,
table->ops->unpacked_entry_size, GFP_KERNEL);
In retrospect, it should have been:
table = &priv->static_config.tables[BLK_IDX_RETAGGING];
because we must allocate SJA1105_MAX_RETAGGING_COUNT elements of the
size of one VLAN retagging entry, and not of one VLAN lookup entry.
In commit 0fac6aa098ed ("net: dsa: sja1105: delete the
best_effort_vlan_filtering mode") I deleted everything that had to do
with VLAN retagging but left this behind because it didn't say RETAGGING
on it.
[BLK_IDX_VLAN_LOOKUP] = {
.unpacked_entry_size = sizeof(struct sja1105_vlan_lookup_entry),
},
[BLK_IDX_RETAGGING] = {
.unpacked_entry_size = sizeof(struct sja1105_retagging_entry),
},
and if you look at them, struct sja1105_retagging_entry has 7 u64
fields, while struct sja1105_vlan_lookup_entry has 6 elements (actually
since commit 3e77e59bf8cf ("net: dsa: sja1105: add support for the
SJA1110 switch family") it also has 7.
The point is, between commit 3f01c91aab92 and commit 3e77e59bf8cf, the
driver allocated 8 bytes too few per VLAN retagging entry, or multiplied
by 32 (the value of SJA1105_MAX_RETAGGING_COUNT), it only allocates
enough memory for 27.4 VLAN retagging entries. So any attempt to access
VLAN retagging entries 27-31 in this function would trigger an out of
bounds memory access.
Could you please also send a patch for the "net" tree with this, and the
explanation above?
- table = &priv->static_config.tables[BLK_IDX_VLAN_LOOKUP];
+ table = &priv->static_config.tables[BLK_IDX_RETAGGING];
Thanks.
Powered by blists - more mailing lists