[PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
@ 2018-02-15 18:31 Gustavo A. R. Silva
  2018-02-15 21:12 ` Andrew Lunn
  2018-02-16 15:48 ` Richard Cochran
  0 siblings, 2 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2018-02-15 18:31 UTC (permalink / raw)
  To: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli
  Cc: netdev, linux-kernel, Gustavo A. R. Silva

_port_ is being used as index to array port_hwtstamp before verifying
it is a non-negative number and a valid index at line 209 and 258:

if (port < 0 || port >= mv88e6xxx_num_ports(chip))

Fix this by checking _port_ before using it as index to array
port_hwtstamp.

Addresses-Coverity-ID: 1465287 ("Negative array index read")
Addresses-Coverity-ID: 1465291 ("Negative array index read")
Fixes: c6fe0ad2c349 ("net: dsa: mv88e6xxx: add rx/tx timestamping support")
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
Changes in v2:
 -Fix the same issue in mv88e6xxx_should_tstamp.
 -Update commit message.

 drivers/net/dsa/mv88e6xxx/hwtstamp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/hwtstamp.c b/drivers/net/dsa/mv88e6xxx/hwtstamp.c
index b251d53..5a665aa 100644
--- a/drivers/net/dsa/mv88e6xxx/hwtstamp.c
+++ b/drivers/net/dsa/mv88e6xxx/hwtstamp.c
@@ -200,8 +200,8 @@ int mv88e6xxx_port_hwtstamp_get(struct dsa_switch *ds, int port,
 				struct ifreq *ifr)
 {
 	struct mv88e6xxx_chip *chip = ds->priv;
-	struct mv88e6xxx_port_hwtstamp *ps = &chip->port_hwtstamp[port];
-	struct hwtstamp_config *config = &ps->tstamp_config;
+	struct mv88e6xxx_port_hwtstamp *ps;
+	struct hwtstamp_config *config;
 
 	if (!chip->info->ptp_support)
 		return -EOPNOTSUPP;
@@ -209,6 +209,9 @@ int mv88e6xxx_port_hwtstamp_get(struct dsa_switch *ds, int port,
 	if (port < 0 || port >= mv88e6xxx_num_ports(chip))
 		return -EINVAL;
 
+	ps = &chip->port_hwtstamp[port];
+	config = &ps->tstamp_config;
+
 	return copy_to_user(ifr->ifr_data, config, sizeof(*config)) ?
 		-EFAULT : 0;
 }
@@ -249,7 +252,7 @@ static u8 *parse_ptp_header(struct sk_buff *skb, unsigned int type)
 static u8 *mv88e6xxx_should_tstamp(struct mv88e6xxx_chip *chip, int port,
 				   struct sk_buff *skb, unsigned int type)
 {
-	struct mv88e6xxx_port_hwtstamp *ps = &chip->port_hwtstamp[port];
+	struct mv88e6xxx_port_hwtstamp *ps;
 	u8 *hdr;
 
 	if (!chip->info->ptp_support)
@@ -262,6 +265,7 @@ static u8 *mv88e6xxx_should_tstamp(struct mv88e6xxx_chip *chip, int port,
 	if (!hdr)
 		return NULL;
 
+	ps = &chip->port_hwtstamp[port];
 	if (!test_bit(MV88E6XXX_HWTSTAMP_ENABLED, &ps->state))
 		return NULL;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-15 18:31 [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read Gustavo A. R. Silva
@ 2018-02-15 21:12 ` Andrew Lunn
  2018-02-16 15:48 ` Richard Cochran
  1 sibling, 0 replies; 6+ messages in thread
From: Andrew Lunn @ 2018-02-15 21:12 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Brandon Streiff, Vivien Didelot, Florian Fainelli, netdev,
	linux-kernel

On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> _port_ is being used as index to array port_hwtstamp before verifying
> it is a non-negative number and a valid index at line 209 and 258:
> 
> if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> 
> Fix this by checking _port_ before using it as index to array
> port_hwtstamp.
> 
> Addresses-Coverity-ID: 1465287 ("Negative array index read")
> Addresses-Coverity-ID: 1465291 ("Negative array index read")
> Fixes: c6fe0ad2c349 ("net: dsa: mv88e6xxx: add rx/tx timestamping support")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>

Reviewed-by: Andrew Lunn <andrew@lunn.ch>

    Andrew

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-15 18:31 [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read Gustavo A. R. Silva
  2018-02-15 21:12 ` Andrew Lunn
@ 2018-02-16 15:48 ` Richard Cochran
  2018-02-16 15:55   ` Andrew Lunn
  2018-02-16 15:56   ` Richard Cochran
  1 sibling, 2 replies; 6+ messages in thread
From: Richard Cochran @ 2018-02-16 15:48 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli,
	netdev, linux-kernel

On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> _port_ is being used as index to array port_hwtstamp before verifying
> it is a non-negative number and a valid index at line 209 and 258:
> 
> if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> 
> Fix this by checking _port_ before using it as index to array
> port_hwtstamp.

NAK.   Port is already known to be valid in the callers.

See:

*** net/dsa/slave.c:  dsa_slave_ioctl[266]
*** net/dsa/slave.c:  dsa_skb_tx_timestamp[416]
*** net/dsa/dsa.c:    dsa_skb_defer_rx_timestamp[152]
 
> Addresses-Coverity-ID: 1465287 ("Negative array index read")
> Addresses-Coverity-ID: 1465291 ("Negative array index read")

Please check the code before posting.  These false positives are
really annoying.

Thanks,
Richard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-16 15:48 ` Richard Cochran
@ 2018-02-16 15:55   ` Andrew Lunn
  2018-02-16 15:56   ` Richard Cochran
  1 sibling, 0 replies; 6+ messages in thread
From: Andrew Lunn @ 2018-02-16 15:55 UTC (permalink / raw)
  To: Richard Cochran
  Cc: Gustavo A. R. Silva, Brandon Streiff, Vivien Didelot,
	Florian Fainelli, netdev, linux-kernel

On Fri, Feb 16, 2018 at 07:48:46AM -0800, Richard Cochran wrote:
> On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> > _port_ is being used as index to array port_hwtstamp before verifying
> > it is a non-negative number and a valid index at line 209 and 258:
> > 
> > if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> > 
> > Fix this by checking _port_ before using it as index to array
> > port_hwtstamp.
> 
> NAK.   Port is already known to be valid in the callers.

Then we should take out the check. It is probably this check which is
causing the false positives.

	Andrew

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-16 15:48 ` Richard Cochran
  2018-02-16 15:55   ` Andrew Lunn
@ 2018-02-16 15:56   ` Richard Cochran
  2018-02-16 17:49     ` Gustavo A. R. Silva
  1 sibling, 1 reply; 6+ messages in thread
From: Richard Cochran @ 2018-02-16 15:56 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli,
	netdev, linux-kernel

On Fri, Feb 16, 2018 at 07:48:46AM -0800, Richard Cochran wrote:
> On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> > _port_ is being used as index to array port_hwtstamp before verifying
> > it is a non-negative number and a valid index at line 209 and 258:
> > 
> > if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> > 
> > Fix this by checking _port_ before using it as index to array
> > port_hwtstamp.
> 
> NAK.   Port is already known to be valid in the callers.

And so the real bug is the pointless range checking tests.  I would
welcome patches to remove those.

Thanks,
Richard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-16 15:56   ` Richard Cochran
@ 2018-02-16 17:49     ` Gustavo A. R. Silva
  0 siblings, 0 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2018-02-16 17:49 UTC (permalink / raw)
  To: Richard Cochran
  Cc: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli,
	netdev, linux-kernel



On 02/16/2018 09:56 AM, Richard Cochran wrote:
> On Fri, Feb 16, 2018 at 07:48:46AM -0800, Richard Cochran wrote:
>> On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
>>> _port_ is being used as index to array port_hwtstamp before verifying
>>> it is a non-negative number and a valid index at line 209 and 258:
>>>
>>> if (port < 0 || port >= mv88e6xxx_num_ports(chip))
>>>
>>> Fix this by checking _port_ before using it as index to array
>>> port_hwtstamp.
>>
>> NAK.   Port is already known to be valid in the callers.
> 
> And so the real bug is the pointless range checking tests.  I would
> welcome patches to remove those.
> 

I just sent a patch for this.

Thank you both, Andrew and Richard for the feedback.
--
Gustavo

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2018-02-16 17:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-15 18:31 [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read Gustavo A. R. Silva
2018-02-15 21:12 ` Andrew Lunn
2018-02-16 15:48 ` Richard Cochran
2018-02-16 15:55   ` Andrew Lunn
2018-02-16 15:56   ` Richard Cochran
2018-02-16 17:49     ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.