[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6159c627-b74d-0187-0969-936795cdac87@seco.com>
Date: Mon, 6 Mar 2023 18:39:40 -0500
From: Sean Anderson <sean.anderson@...o.com>
To: "Russell King (Oracle)" <linux@...linux.org.uk>
Cc: Andrew Lunn <andrew@...n.ch>,
Heiner Kallweit <hkallweit1@...il.com>, netdev@...r.kernel.org,
"David S . Miller" <davem@...emloft.net>,
Vladimir Oltean <olteanv@...il.com>,
linux-kernel@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>,
Eric Dumazet <edumazet@...gle.com>,
Florian Fainelli <f.fainelli@...il.com>,
Tobias Waldekranz <tobias@...dekranz.com>,
Jakub Kicinski <kuba@...nel.org>
Subject: Re: [PATCH net-next] net: mdio: Add netlink interface
On 3/6/23 17:48, Russell King (Oracle) wrote:
> On Mon, Mar 06, 2023 at 03:45:16PM -0500, Sean Anderson wrote:
>> +static int mdio_nl_eval(struct mdio_nl_xfer *xfer)
>> +{
>> + struct mdio_nl_insn *insn;
>> + unsigned long timeout;
>> + u16 regs[8] = { 0 };
>> + int pc, ret = 0;
>
> So "pc" is signed.
>
>> + int phy_id, reg, prtad, devad, val;
>> +
>> + timeout = jiffies + msecs_to_jiffies(xfer->timeout_ms);
>> +
>> + mutex_lock(&xfer->mdio->mdio_lock);
>> +
>> + for (insn = xfer->prog, pc = 0;
>> + pc < xfer->prog_len;
>
> xfer->prog_len is signed, so this is a signed comparison.
>
>> + case MDIO_NL_OP_JEQ:
>> + if (__arg_ri(insn->arg0, regs) ==
>> + __arg_ri(insn->arg1, regs))
>> + pc += (s16)__arg_i(insn->arg2);
>
> This adds a signed 16-bit integer to pc, which can make pc negative.
>
> And so the question becomes... what prevents pc becoming negative
> and then trying to use a negative number as an index?
We start executing from somewhere on the heap :)
> I think prog_len and pc should both be unsigned, then the test you
> have will be unsigned, and thus wrapping "pc" around zero makes it
> a very large integer which fails the test - preventing at least
> access outside of the array.
Will fix.
> Better still would be a validator
> that checks that the program is in fact safe to execute.
I think mdio_nl_validate_prog could be extended to check for this.
--Sean
Powered by blists - more mailing lists