1. Patchew
  2. QEMU
  3. View series

[PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood

Michael Tokarev posted 1 patch 6 months ago
Failed in applying to current master (apply log)
hw/net/rocker/rocker_of_dpa.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood
Posted by Michael Tokarev 6 months ago 
Did this lost this CVE-2022-36648 fix?

https://lists.nongnu.org/archive/html/qemu-devel/2022-06/msg04469.html

rocker_tlv_parse_nested could return early because of no group ids in
the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
for-loop will deref the NULL pointer.

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: <arayz_w@icloud.com>
---
  hw/net/rocker/rocker_of_dpa.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
index b3b8c5bb6d..1611b79227 100644
--- a/hw/net/rocker/rocker_of_dpa.c
+++ b/hw/net/rocker/rocker_of_dpa.c
@@ -2039,6 +2039,11 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa,
OfDpaGroup *group,
      rocker_tlv_parse_nested(tlvs, group->l2_flood.group_count,
                              group_tlvs[ROCKER_TLV_OF_DPA_GROUP_IDS]);

+    if (!tlvs) {
+        err = -ROCKER_EINVAL;
+        goto err_out;
+    }
+
      for (i = 0; i < group->l2_flood.group_count; i++) {
          group->l2_flood.group_ids[i] = rocker_tlv_get_le32(tlvs[i + 1]);
      }
-- 
2.35.3
Re: [PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood
Posted by Michael Tokarev 6 months ago 
LORE has better view/threading for this one,

https://lore.kernel.org/qemu-devel/20220624143912.1234427-1-mcascell@redhat.com/

Which also links to https://gitlab.com/qemu-project/qemu/-/issues/1851

So basically, n/m.

/mjt

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.