From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: Sean Anderson <sean.anderson@seco.com>
Cc: Andrew Lunn <andrew@lunn.ch>,
Heiner Kallweit <hkallweit1@gmail.com>,
netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
Vladimir Oltean <olteanv@gmail.com>,
linux-kernel@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Tobias Waldekranz <tobias@waldekranz.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: Re: [PATCH net-next] net: mdio: Add netlink interface
Date: Mon, 6 Mar 2023 22:48:48 +0000 [thread overview]
Message-ID: <ZAZt0D+CQBnYIogp@shell.armlinux.org.uk> (raw)
In-Reply-To: <20230306204517.1953122-1-sean.anderson@seco.com>
On Mon, Mar 06, 2023 at 03:45:16PM -0500, Sean Anderson wrote:
> +static int mdio_nl_eval(struct mdio_nl_xfer *xfer)
> +{
> + struct mdio_nl_insn *insn;
> + unsigned long timeout;
> + u16 regs[8] = { 0 };
> + int pc, ret = 0;
So "pc" is signed.
> + int phy_id, reg, prtad, devad, val;
> +
> + timeout = jiffies + msecs_to_jiffies(xfer->timeout_ms);
> +
> + mutex_lock(&xfer->mdio->mdio_lock);
> +
> + for (insn = xfer->prog, pc = 0;
> + pc < xfer->prog_len;
xfer->prog_len is signed, so this is a signed comparison.
> + case MDIO_NL_OP_JEQ:
> + if (__arg_ri(insn->arg0, regs) ==
> + __arg_ri(insn->arg1, regs))
> + pc += (s16)__arg_i(insn->arg2);
This adds a signed 16-bit integer to pc, which can make pc negative.
And so the question becomes... what prevents pc becoming negative
and then trying to use a negative number as an index?
I think prog_len and pc should both be unsigned, then the test you
have will be unsigned, and thus wrapping "pc" around zero makes it
a very large integer which fails the test - preventing at least
access outside of the array. Better still would be a validator
that checks that the program is in fact safe to execute.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!
next prev parent reply other threads:[~2023-03-06 22:49 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-06 20:45 [PATCH net-next] net: mdio: Add netlink interface Sean Anderson
2023-03-06 22:48 ` Russell King (Oracle) [this message]
2023-03-06 23:39 ` Sean Anderson
2023-03-07 13:47 ` Andrew Lunn
2023-03-07 16:41 ` Sean Anderson
2023-03-07 0:05 ` kernel test robot
2023-03-07 11:23 ` Michael Walle
2023-03-07 13:49 ` Andrew Lunn
2023-03-07 14:05 ` Vladimir Oltean
2023-03-07 14:33 ` Andrew Lunn
2023-03-07 15:00 ` Russell King (Oracle)
2023-03-07 12:26 ` Tobias Waldekranz
2023-03-07 16:30 ` Sean Anderson
2023-03-07 14:22 ` Andrew Lunn
2023-03-07 14:50 ` Russell King (Oracle)
2023-03-07 16:16 ` Sean Anderson
2023-03-07 17:23 ` Andrew Lunn
2023-03-07 17:42 ` Sean Anderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZAZt0D+CQBnYIogp@shell.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=hkallweit1@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=sean.anderson@seco.com \
--cc=tobias@waldekranz.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.