lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230512153558.15025-1-edward.cree@amd.com>
Date: Fri, 12 May 2023 16:35:58 +0100
From: <edward.cree@....com>
To: <linux-net-drivers@....com>, <davem@...emloft.net>, <kuba@...nel.org>,
	<pabeni@...hat.com>, <edumazet@...gle.com>
CC: Edward Cree <ecree.xilinx@...il.com>, <netdev@...r.kernel.org>,
	<habetsm.xilinx@...il.com>, Simon Horman <simon.horman@...igine.com>
Subject: [PATCH net-next] sfc: fix use-after-free in efx_tc_flower_record_encap_match()

From: Edward Cree <ecree.xilinx@...il.com>

When writing error messages to extack for pseudo collisions, we can't
 use encap->type as encap has already been freed.  Fortunately the
 same value is stored in local variable em_type, so use that instead.

Fixes: 3c9561c0a5b9 ("sfc: support TC decap rules matching on enc_ip_tos")
Reported-by: Simon Horman <simon.horman@...igine.com>
Signed-off-by: Edward Cree <ecree.xilinx@...il.com>
---
 drivers/net/ethernet/sfc/tc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/sfc/tc.c b/drivers/net/ethernet/sfc/tc.c
index da684b4b7211..6dfbdb39f2fe 100644
--- a/drivers/net/ethernet/sfc/tc.c
+++ b/drivers/net/ethernet/sfc/tc.c
@@ -504,7 +504,7 @@ static int efx_tc_flower_record_encap_match(struct efx_nic *efx,
 			if (em_type != EFX_TC_EM_PSEUDO_MASK) {
 				NL_SET_ERR_MSG_FMT_MOD(extack,
 						       "%s encap match conflicts with existing pseudo(MASK) entry",
-						       encap->type ? "Pseudo" : "Direct");
+						       em_type ? "Pseudo" : "Direct");
 				return -EEXIST;
 			}
 			if (child_ip_tos_mask != old->child_ip_tos_mask) {
@@ -525,7 +525,7 @@ static int efx_tc_flower_record_encap_match(struct efx_nic *efx,
 		default: /* Unrecognised pseudo-type.  Just say no */
 			NL_SET_ERR_MSG_FMT_MOD(extack,
 					       "%s encap match conflicts with existing pseudo(%d) entry",
-					       encap->type ? "Pseudo" : "Direct",
+					       em_type ? "Pseudo" : "Direct",
 					       old->type);
 			return -EEXIST;
 		}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ