[PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
@ 2018-02-15 18:31 Gustavo A. R. Silva
  2018-02-15 21:12 ` Andrew Lunn
  2018-02-16 15:48 ` Richard Cochran
  0 siblings, 2 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2018-02-15 18:31 UTC (permalink / raw)
  To: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli
  Cc: netdev, linux-kernel, Gustavo A. R. Silva

_port_ is being used as index to array port_hwtstamp before verifying
it is a non-negative number and a valid index at line 209 and 258:

if (port < 0 || port >= mv88e6xxx_num_ports(chip))

Fix this by checking _port_ before using it as index to array
port_hwtstamp.

Addresses-Coverity-ID: 1465287 ("Negative array index read")
Addresses-Coverity-ID: 1465291 ("Negative array index read")
Fixes: c6fe0ad2c349 ("net: dsa: mv88e6xxx: add rx/tx timestamping support")
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
Changes in v2:
 -Fix the same issue in mv88e6xxx_should_tstamp.
 -Update commit message.

 drivers/net/dsa/mv88e6xxx/hwtstamp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/hwtstamp.c b/drivers/net/dsa/mv88e6xxx/hwtstamp.c
index b251d53..5a665aa 100644
--- a/drivers/net/dsa/mv88e6xxx/hwtstamp.c
+++ b/drivers/net/dsa/mv88e6xxx/hwtstamp.c
@@ -200,8 +200,8 @@ int mv88e6xxx_port_hwtstamp_get(struct dsa_switch *ds, int port,
 				struct ifreq *ifr)
 {
 	struct mv88e6xxx_chip *chip = ds->priv;
-	struct mv88e6xxx_port_hwtstamp *ps = &chip->port_hwtstamp[port];
-	struct hwtstamp_config *config = &ps->tstamp_config;
+	struct mv88e6xxx_port_hwtstamp *ps;
+	struct hwtstamp_config *config;
 
 	if (!chip->info->ptp_support)
 		return -EOPNOTSUPP;
@@ -209,6 +209,9 @@ int mv88e6xxx_port_hwtstamp_get(struct dsa_switch *ds, int port,
 	if (port < 0 || port >= mv88e6xxx_num_ports(chip))
 		return -EINVAL;
 
+	ps = &chip->port_hwtstamp[port];
+	config = &ps->tstamp_config;
+
 	return copy_to_user(ifr->ifr_data, config, sizeof(*config)) ?
 		-EFAULT : 0;
 }
@@ -249,7 +252,7 @@ static u8 *parse_ptp_header(struct sk_buff *skb, unsigned int type)
 static u8 *mv88e6xxx_should_tstamp(struct mv88e6xxx_chip *chip, int port,
 				   struct sk_buff *skb, unsigned int type)
 {
-	struct mv88e6xxx_port_hwtstamp *ps = &chip->port_hwtstamp[port];
+	struct mv88e6xxx_port_hwtstamp *ps;
 	u8 *hdr;
 
 	if (!chip->info->ptp_support)
@@ -262,6 +265,7 @@ static u8 *mv88e6xxx_should_tstamp(struct mv88e6xxx_chip *chip, int port,
 	if (!hdr)
 		return NULL;
 
+	ps = &chip->port_hwtstamp[port];
 	if (!test_bit(MV88E6XXX_HWTSTAMP_ENABLED, &ps->state))
 		return NULL;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-15 18:31 [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read Gustavo A. R. Silva
@ 2018-02-15 21:12 ` Andrew Lunn
  2018-02-16 15:48 ` Richard Cochran
  1 sibling, 0 replies; 6+ messages in thread
From: Andrew Lunn @ 2018-02-15 21:12 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Brandon Streiff, Vivien Didelot, Florian Fainelli, netdev,
	linux-kernel

On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> _port_ is being used as index to array port_hwtstamp before verifying
> it is a non-negative number and a valid index at line 209 and 258:
> 
> if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> 
> Fix this by checking _port_ before using it as index to array
> port_hwtstamp.
> 
> Addresses-Coverity-ID: 1465287 ("Negative array index read")
> Addresses-Coverity-ID: 1465291 ("Negative array index read")
> Fixes: c6fe0ad2c349 ("net: dsa: mv88e6xxx: add rx/tx timestamping support")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>

Reviewed-by: Andrew Lunn <andrew@lunn.ch>

    Andrew

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-15 18:31 [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read Gustavo A. R. Silva
  2018-02-15 21:12 ` Andrew Lunn
@ 2018-02-16 15:48 ` Richard Cochran
  2018-02-16 15:55   ` Andrew Lunn
  2018-02-16 15:56   ` Richard Cochran
  1 sibling, 2 replies; 6+ messages in thread
From: Richard Cochran @ 2018-02-16 15:48 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli,
	netdev, linux-kernel

On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> _port_ is being used as index to array port_hwtstamp before verifying
> it is a non-negative number and a valid index at line 209 and 258:
> 
> if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> 
> Fix this by checking _port_ before using it as index to array
> port_hwtstamp.

NAK.   Port is already known to be valid in the callers.

See:

*** net/dsa/slave.c:  dsa_slave_ioctl[266]
*** net/dsa/slave.c:  dsa_skb_tx_timestamp[416]
*** net/dsa/dsa.c:    dsa_skb_defer_rx_timestamp[152]
 
> Addresses-Coverity-ID: 1465287 ("Negative array index read")
> Addresses-Coverity-ID: 1465291 ("Negative array index read")

Please check the code before posting.  These false positives are
really annoying.

Thanks,
Richard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-16 15:48 ` Richard Cochran
@ 2018-02-16 15:55   ` Andrew Lunn
  2018-02-16 15:56   ` Richard Cochran
  1 sibling, 0 replies; 6+ messages in thread
From: Andrew Lunn @ 2018-02-16 15:55 UTC (permalink / raw)
  To: Richard Cochran
  Cc: Gustavo A. R. Silva, Brandon Streiff, Vivien Didelot,
	Florian Fainelli, netdev, linux-kernel

On Fri, Feb 16, 2018 at 07:48:46AM -0800, Richard Cochran wrote:
> On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> > _port_ is being used as index to array port_hwtstamp before verifying
> > it is a non-negative number and a valid index at line 209 and 258:
> > 
> > if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> > 
> > Fix this by checking _port_ before using it as index to array
> > port_hwtstamp.
> 
> NAK.   Port is already known to be valid in the callers.

Then we should take out the check. It is probably this check which is
causing the false positives.

	Andrew

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-16 15:48 ` Richard Cochran
  2018-02-16 15:55   ` Andrew Lunn
@ 2018-02-16 15:56   ` Richard Cochran
  2018-02-16 17:49     ` Gustavo A. R. Silva
  1 sibling, 1 reply; 6+ messages in thread
From: Richard Cochran @ 2018-02-16 15:56 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli,
	netdev, linux-kernel

On Fri, Feb 16, 2018 at 07:48:46AM -0800, Richard Cochran wrote:
> On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
> > _port_ is being used as index to array port_hwtstamp before verifying
> > it is a non-negative number and a valid index at line 209 and 258:
> > 
> > if (port < 0 || port >= mv88e6xxx_num_ports(chip))
> > 
> > Fix this by checking _port_ before using it as index to array
> > port_hwtstamp.
> 
> NAK.   Port is already known to be valid in the callers.

And so the real bug is the pointless range checking tests.  I would
welcome patches to remove those.

Thanks,
Richard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read
  2018-02-16 15:56   ` Richard Cochran
@ 2018-02-16 17:49     ` Gustavo A. R. Silva
  0 siblings, 0 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2018-02-16 17:49 UTC (permalink / raw)
  To: Richard Cochran
  Cc: Brandon Streiff, Andrew Lunn, Vivien Didelot, Florian Fainelli,
	netdev, linux-kernel



On 02/16/2018 09:56 AM, Richard Cochran wrote:
> On Fri, Feb 16, 2018 at 07:48:46AM -0800, Richard Cochran wrote:
>> On Thu, Feb 15, 2018 at 12:31:39PM -0600, Gustavo A. R. Silva wrote:
>>> _port_ is being used as index to array port_hwtstamp before verifying
>>> it is a non-negative number and a valid index at line 209 and 258:
>>>
>>> if (port < 0 || port >= mv88e6xxx_num_ports(chip))
>>>
>>> Fix this by checking _port_ before using it as index to array
>>> port_hwtstamp.
>>
>> NAK.   Port is already known to be valid in the callers.
> 
> And so the real bug is the pointless range checking tests.  I would
> welcome patches to remove those.
> 

I just sent a patch for this.

Thank you both, Andrew and Richard for the feedback.
--
Gustavo

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2018-02-16 17:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-15 18:31 [PATCH v2] net: dsa: mv88e6xxx: hwtstamp: fix potential negative array index read Gustavo A. R. Silva
2018-02-15 21:12 ` Andrew Lunn
2018-02-16 15:48 ` Richard Cochran
2018-02-16 15:55   ` Andrew Lunn
2018-02-16 15:56   ` Richard Cochran
2018-02-16 17:49     ` Gustavo A. R. Silva

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).