2022-08-16 22:56:38

by Rustam Subkhankulov

Subject: [PATCH] net: dsa: sja1105: fix buffer overflow in sja1105_setup_devlink_regions()

If an error occurs in dsa_devlink_region_create(), then 'priv->regions'
array will be accessed by negative index '-1'.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Rustam Subkhankulov <[email protected]>
Fixes: bf425b82059e ("net: dsa: sja1105: expose static config as devlink region")
---
drivers/net/dsa/sja1105/sja1105_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/dsa/sja1105/sja1105_devlink.c b/drivers/net/dsa/sja1105/sja1105_devlink.c
index 0569ff066634..10c6fea1227f 100644
--- a/drivers/net/dsa/sja1105/sja1105_devlink.c
+++ b/drivers/net/dsa/sja1105/sja1105_devlink.c
@@ -93,7 +93,7 @@ static int sja1105_setup_devlink_regions(struct dsa_switch *ds)

region = dsa_devlink_region_create(ds, ops, 1, size);
if (IS_ERR(region)) {
- while (i-- >= 0)
+ while (--i >= 0)
dsa_devlink_region_destroy(priv->regions[i]);
return PTR_ERR(region);
}
--
2.34.1

2022-08-18 05:43:47

by patchwork-bot+netdevbpf

Subject: Re: [PATCH] net: dsa: sja1105: fix buffer overflow in sja1105_setup_devlink_regions()

Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <[email protected]>:

On Wed, 17 Aug 2022 03:38:45 +0300 you wrote:
> If an error occurs in dsa_devlink_region_create(), then 'priv->regions'
> array will be accessed by negative index '-1'.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Rustam Subkhankulov <[email protected]>
> Fixes: bf425b82059e ("net: dsa: sja1105: expose static config as devlink region")
>
> [...]

Here is the summary with links:
- net: dsa: sja1105: fix buffer overflow in sja1105_setup_devlink_regions()
https://git.kernel.org/netdev/net/c/fd8e899cdb5e

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html