Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp337203yba; Sat, 4 May 2019 03:30:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqwd2Tmd3P0lzL3yzH6uD9sip/r9bxDQhJQXtKFeZ1qz9cFoQbGTFy8SYvDFZBgVD//NCHxR X-Received: by 2002:a63:2b0d:: with SMTP id r13mr17851325pgr.400.1556965850598; Sat, 04 May 2019 03:30:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556965850; cv=none; d=google.com; s=arc-20160816; b=0D/UcjhePuBCrUVwaiqLxibfDVYLU8WZWZpySo1qocRloIVklEVZpytZnv9JUlY4Mr onysTQj3JhDMjT/feFXFWs4s3KqWvbLJUAiqPq4yYEzuZaOvexfJYJPO0k/cigdDaqRf Afc8j9cmsNlYBV0NwW5767qZyYQediAuXIrZ2TUHoRRiLdg2QDwWms6eod/kXYdEcub1 yLMrDDrifVubi9y1EF+tSCABaiZn9YQG3F5l+Yf1ifH/KTgHA49BHKC9oR/7UuxDzqp+ CBrpGzDaBpoRaN75r8YZbTWj4j4Km2f/LET16pRlaJLlBkDtCLJV0jNW2L4i6DAID7gj gFjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BOiCEDxkY89uTSA5eTyPaDJn9xdV990sCauucQ1CfwE=; b=Na8hSjm2bJhN4eFssk0V/gHfAkE3RjoJ1mxRaF3A+xh8KgV1jme6MpHktMXpCFMiZM CYuIQXf0c4zTI12TWOzD7t7ddJXz7VZPM03J7M0TTkzzE+PGiH8AZTZcfPX/MpqIfwDQ GExaxP/FsuLpFlDwid+ZJz6wI24KQrHwZnV6cslbMcygb6G4BuptiGzmnNMX5NIoz2o2 0PoLLzgmBX+y6q2l6yAX3cK9Z8cd7facjMWOvG/Vdw9z5XeoMD4yHAXlK5XigyD/UT01 12QvLOc1Vj/yIqDTzD+L/xBwNFYIDM9vHURdkG2l97q95arZAhcSIHZbnWYO7R4gfdyM dJjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=e2hQOVcm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n19si6266603pgh.457.2019.05.04.03.30.35; Sat, 04 May 2019 03:30:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=e2hQOVcm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728373AbfEDK2C (ORCPT + 99 others); Sat, 4 May 2019 06:28:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:38624 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728340AbfEDK15 (ORCPT ); Sat, 4 May 2019 06:27:57 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 600262085A; Sat, 4 May 2019 10:27:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965676; bh=yCIp8hvQRzWQWnTcmjKnPab4t1jUjfTfxobF3VWZbzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e2hQOVcmA9i680ljj1au9w4qB6snfQpDVoBqiuyFvSSROPqhErDIWyTFuscRpMNc0 Xm3xgK1Jsuy0PWoGJV0EStDM6DqdF4JoIwSkXoD+GLav6Y48uo2ag2COgLeE96n+sO 2imerCjjSJNsHvLvTQGcZMk1G8a103kqo+L84NR8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , "David S. Miller" Subject: [PATCH 4.19 08/23] net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc Date: Sat, 4 May 2019 12:25:10 +0200 Message-Id: <20190504102451.831062292@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190504102451.512405835@linuxfoundation.org> References: <20190504102451.512405835@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit f949a12fd697479f68d99dc65e9bbab68ee49043 ] The "fs->location" is a u32 that comes from the user in ethtool_set_rxnfc(). We can't pass unclamped values to test_bit() or it results in an out of bounds access beyond the end of the bitmap. Fixes: 7318166cacad ("net: dsa: bcm_sf2: Add support for ethtool::rxnfc") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/dsa/bcm_sf2_cfp.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/net/dsa/bcm_sf2_cfp.c +++ b/drivers/net/dsa/bcm_sf2_cfp.c @@ -742,6 +742,9 @@ static int bcm_sf2_cfp_rule_set(struct d fs->m_ext.data[1])) return -EINVAL; + if (fs->location != RX_CLS_LOC_ANY && fs->location >= CFP_NUM_RULES) + return -EINVAL; + if (fs->location != RX_CLS_LOC_ANY && test_bit(fs->location, priv->cfp.used)) return -EBUSY; @@ -836,6 +839,9 @@ static int bcm_sf2_cfp_rule_del(struct b u32 next_loc = 0; int ret; + if (loc >= CFP_NUM_RULES) + return -EINVAL; + /* Refuse deleting unused rules, and those that are not unique since * that could leave IPv6 rules with one of the chained rule in the * table.