lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45d1bb23-4559-4b38-8d26-8705541df69f@seco.com>
Date: Thu, 7 Mar 2024 11:06:48 -0500
From: Sean Anderson <sean.anderson@...o.com>
To: Aleksandr Mishin <amishin@...rgos.ru>,
 Madalin Bucur <madalin.bucur@....com>
Cc: "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>, Igal Liberman
 <igal.liberman@...escale.com>, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] fsl/fman: Add array size check

On 3/7/24 03:04, Aleksandr Mishin wrote:
> [You don't often get email from amishin@...rgos.ru. Learn why this is important at https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2faka.ms%2fLearnAboutSenderIdentification&umid=bdb4cfa6-c48e-4063-9c43-6d5ce09db688&auth=d807158c60b7d2502abde8a2fc01f40662980862-eff8dde9dd9e5b6c3f9e726ab81488b46e7dd147 ]
>
> In fman_register_intr() and fman_unregister_intr()
> get_module_event() is assigned to event which is then used
> as array index without size check.
> Fix this bug by adding a check of event.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 414fd46e7762 (fsl/fman: Add FMan support)
> Signed-off-by: Aleksandr Mishin <amishin@...rgos.ru>
> ---
>  drivers/net/ethernet/freescale/fman/fman.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
> index d96028f01770..902d05ffff1b 100644
> --- a/drivers/net/ethernet/freescale/fman/fman.c
> +++ b/drivers/net/ethernet/freescale/fman/fman.c
> @@ -2054,7 +2054,10 @@ void fman_register_intr(struct fman *fman, enum fman_event_modules module,
>         int event = 0;
>
>         event = get_module_event(module, mod_id, intr_type);
> -       WARN_ON(event >= FMAN_EV_CNT);
> +       if (event >= FMAN_EV_CNT) {
> +               WARN_ON(event >= FMAN_EV_CNT);
> +               return;
> +       }
>
>         /* register in local FM structure */
>         fman->intr_mng[event].isr_cb = isr_cb;
> @@ -2079,7 +2082,10 @@ void fman_unregister_intr(struct fman *fman, enum fman_event_modules module,
>         int event = 0;
>
>         event = get_module_event(module, mod_id, intr_type);
> -       WARN_ON(event >= FMAN_EV_CNT);
> +       if (event >= FMAN_EV_CNT) {
> +               WARN_ON(event >= FMAN_EV_CNT);
> +               return;
> +       }
>
>         fman->intr_mng[event].isr_cb = NULL;
>         fman->intr_mng[event].src_handle = NULL;
> --
> 2.30.2
>

Nack. This condition should never occur, that's why we have the WARN_ON.

--Sean

[Embedded World 2024, SECO SpA]<https://www.messe-ticket.de/Nuernberg/embeddedworld2024/Register/ew24517689>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ