lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Jan 2023 17:23:30 +0100
From:   Simon Horman <simon.horman@...igine.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Natalia Petrova <n.petrova@...tech.ru>, stable@...r.kernel.org,
        Jesse Brandeburg <jesse.brandeburg@...el.com>,
        Tony Nguyen <anthony.l.nguyen@...el.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        intel-wired-lan@...ts.osuosl.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH v2] i40e: Add checking for null for nlmsg_find_attr()

On Tue, Jan 31, 2023 at 06:17:49AM +0100, Greg Kroah-Hartman wrote:
> On Tue, Jan 31, 2023 at 01:11:06AM +0300, Natalia Petrova wrote:
> > The result of nlmsg_find_attr() 'br_spec' is dereferenced in
> > nla_for_each_nested(), but it can take null value in nla_find() function,
> > which will result in an error.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops")
> > Signed-off-by: Natalia Petrova <n.petrova@...tech.ru>
> > Reviewed-by: Jesse Brandeburg <jesse.brandeburg@...el.com>
> > ---
> > v2: The remark about the error code by Simon Horman <simon.horman@...igine.com> 
> > was taken into account; return value -ENOENT was changed to -EINVAL.
> >  drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> 
> <formletter>
> 
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read:
>     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.
> 
> </formletter>

Hi Natalia,

offering some friendly guidance here.

It seems to me that the problem you have highlighted is present
in current upstream code, and thus should be addressed there.

If it is considered a bug fix, then it should be targeted at the 'net'
tree. If the patch is accepted, into the release currently being
worked on (v6.2), backporting to older kernels can follow from there.
Otherwise it can be targeted at 'net-next', for inclusion
in the following release (v6.3).

As I think might have been mentioned, elsewhere, for networking
changes, you should indicate the target tree in the subject.
E.g. for net

Subject: [PATCH v3] i40e: Check if nlmsg_find_attr() returns null

The above also incorporates a suggested enhancement to the subject text.

I believe there was also a typo spotted in the patch description:
finction -> function

In all, my suggestion would be to address these problems as a v3.
I do not believe that you need to include stable@...r.kernel.org
or Greg on the recipient list, as the patch would be for 'net'
or 'net-next', not stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ