Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2614964pxu; Mon, 14 Dec 2020 06:56:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJxTFYATpiUqV/achI923nBQ1C1a42+/c3Mh7pvBVfj2dRzv+ubTHv+IN5oOVetut5SRsack X-Received: by 2002:aa7:d74d:: with SMTP id a13mr25340475eds.78.1607957814634; Mon, 14 Dec 2020 06:56:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607957814; cv=none; d=google.com; s=arc-20160816; b=H/vGk/HKgr6G5uZlWc78DUFq9LEAFbbNpfEVTIDsAeW2gWkMO2oDaYgVEuOUv4eiJL RrcrB4bZjcAqnO1D+PKHblb+EYZovWNJIRQ+1FhSJHxuAfSBnigYkmMOCHlgWbjhcskt TYz+UYbHPBkcNUzm3XTCvsy0d678eQrJZ5OMpBIF6AlftYWhDs+S4Be3X7K9ZojYTagw 9t1DZIEpVMqOHy1t20PIp1Ers2DuOogY1labFnGxVGetAgaOnmdeCgsOLIHx3CyBRG41 WP+U3wM4ZfbAOqEhmqt47g0Msynm8om4SLCPUAH594yFn5z3KQNOzTLX6yDRkQ5C9db/ CYgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:cc:to:subject:from:message-id; bh=OhRbQfHr9ayWArYzsibd3uIlYHQOESFyBUrzvIx9pRA=; b=D5PlsF+zf18syI4a4Lx80PXjKi58zCpbLKnKPE5tbIkcDHBXVZ5N5Qfa6yUFxsMztU DPYgsiyRQpv5WNnLml9UJYCAP0o7IQlRvE6Fd3olTsCyuzF06d4Kz+AEh2wFrkgDlHu6 L7yyfjJiFfn0QcPM7X6rTWv54+A1yoNmba3MClvmUIj7Qy/UMa0k/VEtEaujtEMbs3I3 8wSpB9wHqnoPavGTReIRVm1G2UR1sfBMSDCYyJ/vyqJSCPbiXxLd7TDg1jjtgxyz9M0X MiAxpVb3t/U59ITjZvYrd/l8BnCF4I3dSCPcP6a//357tuBmWjTKUfS5kDtgZn0o8/77 AUlQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f20si11541955edy.12.2020.12.14.06.56.30; Mon, 14 Dec 2020 06:56:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2439463AbgLNN0J (ORCPT + 99 others); Mon, 14 Dec 2020 08:26:09 -0500 Received: from mx2.suse.de ([195.135.220.15]:52356 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2439357AbgLNNZt (ORCPT ); Mon, 14 Dec 2020 08:25:49 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 7F87AAC10; Mon, 14 Dec 2020 13:25:01 +0000 (UTC) Received: by lion.mk-sys.cz (Postfix, from userid 1000) id 1346B6030D; Mon, 14 Dec 2020 14:25:01 +0100 (CET) Message-Id: From: Michal Kubecek Subject: [PATCH net] ethtool: fix string set id check To: "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Date: Mon, 14 Dec 2020 14:25:01 +0100 (CET) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzbot reported a shift of a u32 by more than 31 in strset_parse_request() which is undefined behavior. This is caused by range check of string set id using variable ret (which is always 0 at this point) instead of id (string set id from request). Fixes: 71921690f974 ("ethtool: provide string sets with STRSET_GET request") Reported-by: syzbot+96523fb438937cd01220@syzkaller.appspotmail.com Signed-off-by: Michal Kubecek --- net/ethtool/strset.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c index 0baad0ce1832..c3a5489964cd 100644 --- a/net/ethtool/strset.c +++ b/net/ethtool/strset.c @@ -182,7 +182,7 @@ static int strset_parse_request(struct ethnl_req_info *req_base, ret = strset_get_id(attr, &id, extack); if (ret < 0) return ret; - if (ret >= ETH_SS_COUNT) { + if (id >= ETH_SS_COUNT) { NL_SET_ERR_MSG_ATTR(extack, attr, "unknown string set id"); return -EOPNOTSUPP; -- 2.29.2