1. Patchew
  2. linux
  3. View series

[PATCH] net/dsa: fix oob in dsa_user_prechangeupper

Edward Adam Davis posted 1 patch 1 year, 11 months ago 
net/dsa/user.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH] net/dsa: fix oob in dsa_user_prechangeupper
Posted by Edward Adam Davis 1 year, 11 months ago 
If the private data is not allocated memory when generating an instance of 
struct net_device, i.e. priv_size is too small, then its corresponding private
data should not be accessed.

Reported-and-tested-by: syzbot+7ec955e36bb239bd720f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 net/dsa/user.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/dsa/user.h b/net/dsa/user.h
index 996069130bea..9a40918ee7fc 100644
--- a/net/dsa/user.h
+++ b/net/dsa/user.h
@@ -53,7 +53,11 @@ int dsa_user_manage_vlan_filtering(struct net_device *dev,
 
 static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
 {
-	struct dsa_user_priv *p = netdev_priv(dev);
+	const struct rtnl_link_ops *ops = dev->rtnl_link_ops;
+	struct dsa_user_priv *p = ops->priv_size >= sizeof(*p) ? 
+		netdev_priv(dev) : NULL;
+	if (!p)
+		return NULL;
 
 	return p->dp;
 }
-- 
2.43.0
Re: [PATCH] net/dsa: fix oob in dsa_user_prechangeupper
Posted by Vladimir Oltean 1 year, 11 months ago 
On Tue, Jan 16, 2024 at 10:56:26PM +0800, Edward Adam Davis wrote:
> If the private data is not allocated memory when generating an instance of 
> struct net_device, i.e. priv_size is too small, then its corresponding private
> data should not be accessed.
> 
> Reported-and-tested-by: syzbot+7ec955e36bb239bd720f@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  net/dsa/user.h | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/dsa/user.h b/net/dsa/user.h
> index 996069130bea..9a40918ee7fc 100644
> --- a/net/dsa/user.h
> +++ b/net/dsa/user.h
> @@ -53,7 +53,11 @@ int dsa_user_manage_vlan_filtering(struct net_device *dev,
>  
>  static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
>  {
> -	struct dsa_user_priv *p = netdev_priv(dev);
> +	const struct rtnl_link_ops *ops = dev->rtnl_link_ops;
> +	struct dsa_user_priv *p = ops->priv_size >= sizeof(*p) ? 
> +		netdev_priv(dev) : NULL;
> +	if (!p)
> +		return NULL;
>  
>  	return p->dp;
>  }
> -- 
> 2.43.0
> 

The problem has been fixed by:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=844f104790bd

pw-bot: rejected

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.