netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
@ 2023-12-11  8:37 Jiri Pirko
  2023-12-11 10:46 ` Vadim Fedorenko
  2023-12-13  0:30 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 5+ messages in thread
From: Jiri Pirko @ 2023-12-11  8:37 UTC (permalink / raw)
  To: netdev
  Cc: kuba, pabeni, davem, edumazet, vadim.fedorenko,
	arkadiusz.kubalewski, gregkh, hdthky0, michal.michalik,
	milena.olech

From: Jiri Pirko <jiri@nvidia.com>

User may not pass DPLL_A_PIN_STATE attribute in the pin set operation
message. Sanitize that by checking if the attr pointer is not null
and process the passed state attribute value only in that case.

Reported-by: Xingyuan Mo <hdthky0@gmail.com>
Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
---
 drivers/dpll/dpll_netlink.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c
index 442a0ebeb953..ce7cf736f020 100644
--- a/drivers/dpll/dpll_netlink.c
+++ b/drivers/dpll/dpll_netlink.c
@@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
 			struct netlink_ext_ack *extack)
 {
 	struct nlattr *tb[DPLL_A_PIN_MAX + 1];
-	enum dpll_pin_state state;
 	u32 ppin_idx;
 	int ret;
 
@@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
 		return -EINVAL;
 	}
 	ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]);
-	state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
-	ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
-	if (ret)
-		return ret;
+
+	if (tb[DPLL_A_PIN_STATE]) {
+		enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
+
+		ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
+		if (ret)
+			return ret;
+	}
 
 	return 0;
 }
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
  2023-12-11  8:37 [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set() Jiri Pirko
@ 2023-12-11 10:46 ` Vadim Fedorenko
  2023-12-11 11:43   ` Jiri Pirko
  2023-12-13  0:30 ` patchwork-bot+netdevbpf
  1 sibling, 1 reply; 5+ messages in thread
From: Vadim Fedorenko @ 2023-12-11 10:46 UTC (permalink / raw)
  To: Jiri Pirko, netdev
  Cc: kuba, pabeni, davem, edumazet, arkadiusz.kubalewski, gregkh,
	hdthky0, michal.michalik, milena.olech

On 11/12/2023 08:37, Jiri Pirko wrote:
> From: Jiri Pirko <jiri@nvidia.com>
> 
> User may not pass DPLL_A_PIN_STATE attribute in the pin set operation
> message. Sanitize that by checking if the attr pointer is not null
> and process the passed state attribute value only in that case.
> 
> Reported-by: Xingyuan Mo <hdthky0@gmail.com>
> Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions")
> Signed-off-by: Jiri Pirko <jiri@nvidia.com>
> ---
>   drivers/dpll/dpll_netlink.c | 13 ++++++++-----
>   1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c
> index 442a0ebeb953..ce7cf736f020 100644
> --- a/drivers/dpll/dpll_netlink.c
> +++ b/drivers/dpll/dpll_netlink.c
> @@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
>   			struct netlink_ext_ack *extack)
>   {
>   	struct nlattr *tb[DPLL_A_PIN_MAX + 1];
> -	enum dpll_pin_state state;
>   	u32 ppin_idx;
>   	int ret;
>   
> @@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
>   		return -EINVAL;
>   	}
>   	ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]);
> -	state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
> -	ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
> -	if (ret)
> -		return ret;
> +
> +	if (tb[DPLL_A_PIN_STATE]) {
> +		enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
> +
> +		ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
> +		if (ret)
> +			return ret;
> +	}
>   
>   	return 0;
>   }

I don't believe that "set" command without set value should return 0
meaning "request was completed successfully". Maybe it's better to add 
another check like for DPLL_A_PIN_PARENT_ID and fill extack with
description?


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
  2023-12-11 10:46 ` Vadim Fedorenko
@ 2023-12-11 11:43   ` Jiri Pirko
  2023-12-11 12:13     ` Vadim Fedorenko
  0 siblings, 1 reply; 5+ messages in thread
From: Jiri Pirko @ 2023-12-11 11:43 UTC (permalink / raw)
  To: Vadim Fedorenko
  Cc: netdev, kuba, pabeni, davem, edumazet, arkadiusz.kubalewski,
	gregkh, hdthky0, michal.michalik, milena.olech

Mon, Dec 11, 2023 at 11:46:24AM CET, vadim.fedorenko@linux.dev wrote:
>On 11/12/2023 08:37, Jiri Pirko wrote:
>> From: Jiri Pirko <jiri@nvidia.com>
>> 
>> User may not pass DPLL_A_PIN_STATE attribute in the pin set operation
>> message. Sanitize that by checking if the attr pointer is not null
>> and process the passed state attribute value only in that case.
>> 
>> Reported-by: Xingyuan Mo <hdthky0@gmail.com>
>> Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions")
>> Signed-off-by: Jiri Pirko <jiri@nvidia.com>
>> ---
>>   drivers/dpll/dpll_netlink.c | 13 ++++++++-----
>>   1 file changed, 8 insertions(+), 5 deletions(-)
>> 
>> diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c
>> index 442a0ebeb953..ce7cf736f020 100644
>> --- a/drivers/dpll/dpll_netlink.c
>> +++ b/drivers/dpll/dpll_netlink.c
>> @@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
>>   			struct netlink_ext_ack *extack)
>>   {
>>   	struct nlattr *tb[DPLL_A_PIN_MAX + 1];
>> -	enum dpll_pin_state state;
>>   	u32 ppin_idx;
>>   	int ret;
>> @@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
>>   		return -EINVAL;
>>   	}
>>   	ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]);
>> -	state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
>> -	ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
>> -	if (ret)
>> -		return ret;
>> +
>> +	if (tb[DPLL_A_PIN_STATE]) {
>> +		enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
>> +
>> +		ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
>> +		if (ret)
>> +			return ret;
>> +	}
>>   	return 0;
>>   }
>
>I don't believe that "set" command without set value should return 0
>meaning "request was completed successfully". Maybe it's better to add
>another check like for DPLL_A_PIN_PARENT_ID and fill extack with
>description?

Please see dpll_pin_parent_device_set(). State here is treated exactly
the same as there. It makes sense during set operation to process only
the attributes that are passed. In the future, dpll_pin_parent_pin_set()
can process more attributes, lets be prepared for that.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
  2023-12-11 11:43   ` Jiri Pirko
@ 2023-12-11 12:13     ` Vadim Fedorenko
  0 siblings, 0 replies; 5+ messages in thread
From: Vadim Fedorenko @ 2023-12-11 12:13 UTC (permalink / raw)
  To: Jiri Pirko
  Cc: netdev, kuba, pabeni, davem, edumazet, arkadiusz.kubalewski,
	gregkh, hdthky0, michal.michalik, milena.olech

On 11/12/2023 11:43, Jiri Pirko wrote:
> Mon, Dec 11, 2023 at 11:46:24AM CET, vadim.fedorenko@linux.dev wrote:
>> On 11/12/2023 08:37, Jiri Pirko wrote:
>>> From: Jiri Pirko <jiri@nvidia.com>
>>>
>>> User may not pass DPLL_A_PIN_STATE attribute in the pin set operation
>>> message. Sanitize that by checking if the attr pointer is not null
>>> and process the passed state attribute value only in that case.
>>>
>>> Reported-by: Xingyuan Mo <hdthky0@gmail.com>
>>> Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions")
>>> Signed-off-by: Jiri Pirko <jiri@nvidia.com>
>>> ---
>>>    drivers/dpll/dpll_netlink.c | 13 ++++++++-----
>>>    1 file changed, 8 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c
>>> index 442a0ebeb953..ce7cf736f020 100644
>>> --- a/drivers/dpll/dpll_netlink.c
>>> +++ b/drivers/dpll/dpll_netlink.c
>>> @@ -925,7 +925,6 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
>>>    			struct netlink_ext_ack *extack)
>>>    {
>>>    	struct nlattr *tb[DPLL_A_PIN_MAX + 1];
>>> -	enum dpll_pin_state state;
>>>    	u32 ppin_idx;
>>>    	int ret;
>>> @@ -936,10 +935,14 @@ dpll_pin_parent_pin_set(struct dpll_pin *pin, struct nlattr *parent_nest,
>>>    		return -EINVAL;
>>>    	}
>>>    	ppin_idx = nla_get_u32(tb[DPLL_A_PIN_PARENT_ID]);
>>> -	state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
>>> -	ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
>>> -	if (ret)
>>> -		return ret;
>>> +
>>> +	if (tb[DPLL_A_PIN_STATE]) {
>>> +		enum dpll_pin_state state = nla_get_u32(tb[DPLL_A_PIN_STATE]);
>>> +
>>> +		ret = dpll_pin_on_pin_state_set(pin, ppin_idx, state, extack);
>>> +		if (ret)
>>> +			return ret;
>>> +	}
>>>    	return 0;
>>>    }
>>
>> I don't believe that "set" command without set value should return 0
>> meaning "request was completed successfully". Maybe it's better to add
>> another check like for DPLL_A_PIN_PARENT_ID and fill extack with
>> description?
> 
> Please see dpll_pin_parent_device_set(). State here is treated exactly
> the same as there. It makes sense during set operation to process only
> the attributes that are passed. In the future, dpll_pin_parent_pin_set()
> can process more attributes, lets be prepared for that.

Ok, let's be ready.

Acked-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
  2023-12-11  8:37 [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set() Jiri Pirko
  2023-12-11 10:46 ` Vadim Fedorenko
@ 2023-12-13  0:30 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-12-13  0:30 UTC (permalink / raw)
  To: Jiri Pirko
  Cc: netdev, kuba, pabeni, davem, edumazet, vadim.fedorenko,
	arkadiusz.kubalewski, gregkh, hdthky0, michal.michalik,
	milena.olech

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 11 Dec 2023 09:37:58 +0100 you wrote:
> From: Jiri Pirko <jiri@nvidia.com>
> 
> User may not pass DPLL_A_PIN_STATE attribute in the pin set operation
> message. Sanitize that by checking if the attr pointer is not null
> and process the passed state attribute value only in that case.
> 
> Reported-by: Xingyuan Mo <hdthky0@gmail.com>
> Fixes: 9d71b54b65b1 ("dpll: netlink: Add DPLL framework base functions")
> Signed-off-by: Jiri Pirko <jiri@nvidia.com>
> 
> [...]

Here is the summary with links:
  - [net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
    https://git.kernel.org/netdev/net/c/65c95f78917e

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-12-13  0:30 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-11  8:37 [patch net] dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set() Jiri Pirko
2023-12-11 10:46 ` Vadim Fedorenko
2023-12-11 11:43   ` Jiri Pirko
2023-12-11 12:13     ` Vadim Fedorenko
2023-12-13  0:30 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).