From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 08/23] net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc
Date: Sat, 4 May 2019 12:25:10 +0200 [thread overview]
Message-ID: <20190504102451.831062292@linuxfoundation.org> (raw)
In-Reply-To: <20190504102451.512405835@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit f949a12fd697479f68d99dc65e9bbab68ee49043 ]
The "fs->location" is a u32 that comes from the user in ethtool_set_rxnfc().
We can't pass unclamped values to test_bit() or it results in an out of
bounds access beyond the end of the bitmap.
Fixes: 7318166cacad ("net: dsa: bcm_sf2: Add support for ethtool::rxnfc")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/bcm_sf2_cfp.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/net/dsa/bcm_sf2_cfp.c
+++ b/drivers/net/dsa/bcm_sf2_cfp.c
@@ -742,6 +742,9 @@ static int bcm_sf2_cfp_rule_set(struct d
fs->m_ext.data[1]))
return -EINVAL;
+ if (fs->location != RX_CLS_LOC_ANY && fs->location >= CFP_NUM_RULES)
+ return -EINVAL;
+
if (fs->location != RX_CLS_LOC_ANY &&
test_bit(fs->location, priv->cfp.used))
return -EBUSY;
@@ -836,6 +839,9 @@ static int bcm_sf2_cfp_rule_del(struct b
u32 next_loc = 0;
int ret;
+ if (loc >= CFP_NUM_RULES)
+ return -EINVAL;
+
/* Refuse deleting unused rules, and those that are not unique since
* that could leave IPv6 rules with one of the chained rule in the
* table.
next prev parent reply other threads:[~2019-05-04 10:28 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-04 10:25 [PATCH 4.19 00/23] 4.19.40-stable review Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 01/23] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 02/23] ipv6: A few fixes on dereferencing rt->from Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 03/23] ipv6: fix races in ip6_dst_destroy() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 04/23] ipv6/flowlabel: wait rcu grace period before put_pid() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 05/23] ipv6: invert flowlabel sharing check in process and user mode Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 06/23] l2ip: fix possible use-after-free Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 07/23] l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv() Greg Kroah-Hartman
2019-05-04 10:25 ` Greg Kroah-Hartman [this message]
2019-05-04 10:25 ` [PATCH 4.19 09/23] net: phy: marvell: Fix buffer overrun with stats counters Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 10/23] net/tls: avoid NULL pointer deref on nskb->sk in fallback Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 11/23] rxrpc: Fix net namespace cleanup Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 12/23] sctp: avoid running the sctp state machine recursively Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 13/23] selftests: fib_rule_tests: print the result and return 1 if any tests failed Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 14/23] packet: validate msg_namelen in send directly Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 15/23] bnxt_en: Improve multicast address setup logic Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 16/23] bnxt_en: Free short FW command HWRM memory in error path in bnxt_init_one() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 17/23] bnxt_en: Fix uninitialized variable usage in bnxt_rx_pkt() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 18/23] net/tls: dont copy negative amounts of data in reencrypt Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 19/23] net/tls: fix copy to fragments " Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 20/23] KVM: x86: Whitelist port 0x7e for pre-incrementing %rip Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 21/23] KVM: nVMX: Fix size checks in vmx_set_nested_state Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 22/23] ALSA: line6: use dynamic buffers Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 23/23] ath10k: Drop WARN_ON()s that always trigger during system resume Greg Kroah-Hartman
2019-05-04 18:46 ` [PATCH 4.19 00/23] 4.19.40-stable review kernelci.org bot
2019-05-04 23:32 ` Guenter Roeck
2019-05-05 3:00 ` Dan Rue
2019-05-05 7:08 ` Greg Kroah-Hartman
2019-05-05 8:53 ` Naresh Kamboju
2019-05-05 9:02 ` Greg Kroah-Hartman
2019-05-05 12:38 ` Dan Rue
2019-05-05 11:12 ` Bharath Vedartham
2019-05-05 11:53 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190504102451.831062292@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.