* out of bounds writes in net/hsr/
@ 2014-03-04 3:27 Dave Jones
2014-03-04 16:07 ` Arvid Brodin
0 siblings, 1 reply; 3+ messages in thread
From: Dave Jones @ 2014-03-04 3:27 UTC (permalink / raw)
To: netdev; +Cc: arvid.brodin
I found this in coverity, and I think it's a real bug..
hsr_register_frame_in does a check that dev_idx is between 0 and 2,
therefore, a dev_idx of 2 is possible when it gets to the array writes
at the end of the function. The arrays are defined such..
26 struct node_entry {
...
33 unsigned long time_in[HSR_MAX_SLAVE];
34 bool time_in_stale[HSR_MAX_SLAVE];
and HSR_MAX_SLAVE is...
139 enum hsr_dev_idx {
140 HSR_DEV_NONE = -1,
141 HSR_DEV_SLAVE_A = 0,
142 HSR_DEV_SLAVE_B,
143 HSR_DEV_MASTER,
144 };
145 #define HSR_MAX_SLAVE (HSR_DEV_SLAVE_B + 1)
So we have arrays of 2 bytes, and we can try to write to the 3rd byte.
The problem seems to be that the checking in hsr_register_frame is on
HSR_MAX_DEV which is defined as..
#define HSR_MAX_DEV (HSR_DEV_MASTER + 1)
The + 1 seems odd, and looking at the other uses of HSR_MAX_DEV, I can't
figure out why it's there.
Dave
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: out of bounds writes in net/hsr/
2014-03-04 3:27 out of bounds writes in net/hsr/ Dave Jones
@ 2014-03-04 16:07 ` Arvid Brodin
2014-03-04 16:30 ` Dave Jones
0 siblings, 1 reply; 3+ messages in thread
From: Arvid Brodin @ 2014-03-04 16:07 UTC (permalink / raw)
To: Dave Jones; +Cc: netdev
On 2014-03-04 04:27, Dave Jones wrote:
> I found this in coverity, and I think it's a real bug..
>
> hsr_register_frame_in does a check that dev_idx is between 0 and 2,
> therefore, a dev_idx of 2 is possible when it gets to the array writes
> at the end of the function.
Thanks for finding this; it is a bug (although I don't think it has
actually lead to any out of bound accesses).
However, I think you are a bit late - I believe this was fixed in a patch
from Dan Carpenter just a few days ago. See
http://www.spinics.net/lists/netdev/msg272815.html
> #define HSR_MAX_DEV (HSR_DEV_MASTER + 1)
>
> The + 1 seems odd, and looking at the other uses of HSR_MAX_DEV, I can't
> figure out why it's there.
>
> Dave
>
Yes, maybe the names are a bit misleading, and they should be called something
like HSR_DEVS and HSR_SLAVES instead. I.e.:
some-type array-name[HSR_DEVS];
... where the last element is accessed by array-name[HSR_MAX_DEV].
--
Arvid Brodin | Consultant (Linux)
ALTEN | Knarrarnäsgatan 7 | SE-164 40 Kista | Sweden
arvid.brodin@alten.se | www.alten.se/en/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: out of bounds writes in net/hsr/
2014-03-04 16:07 ` Arvid Brodin
@ 2014-03-04 16:30 ` Dave Jones
0 siblings, 0 replies; 3+ messages in thread
From: Dave Jones @ 2014-03-04 16:30 UTC (permalink / raw)
To: Arvid Brodin; +Cc: netdev
On Tue, Mar 04, 2014 at 05:07:23PM +0100, Arvid Brodin wrote:
> On 2014-03-04 04:27, Dave Jones wrote:
> > I found this in coverity, and I think it's a real bug..
> >
> > hsr_register_frame_in does a check that dev_idx is between 0 and 2,
> > therefore, a dev_idx of 2 is possible when it gets to the array writes
> > at the end of the function.
>
> Thanks for finding this; it is a bug (although I don't think it has
> actually lead to any out of bound accesses).
>
> However, I think you are a bit late - I believe this was fixed in a patch
> from Dan Carpenter just a few days ago. See
>
> http://www.spinics.net/lists/netdev/msg272815.html
excellent, thanks for checking.
Dave
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-03-04 17:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-04 3:27 out of bounds writes in net/hsr/ Dave Jones
2014-03-04 16:07 ` Arvid Brodin
2014-03-04 16:30 ` Dave Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).