Commit 3c70144e authored Sep 08, 2023 by Hangyu Hua Committed by sanglipeng Mar 05, 2024

net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()

stable inclusion
from stable-v5.10.195
commit 61054a8ddb176b155a8f2bacdfefb3727187f5d9
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I95JOC

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=61054a8ddb176b155a8f2bacdfefb3727187f5d9



--------------------------------

[ Upstream commit 51fe0a47 ]

rules is allocated in ethtool_get_rxnfc and the size is determined by
rule_cnt from user space. So rule_cnt needs to be check before using
rules to avoid OOB writing or NULL pointer dereference.

Fixes: 90b509b3 ("net: mvpp2: cls: Add Classification offload support")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent fa715ed6

drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -5217,6 +5217,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev,
		break;
		case ETHTOOL_GRXCLSRLALL:
		for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) {
		if (loc == info->rule_cnt) {
		ret = -EMSGSIZE;
		break;
		}

		if (port->rfs_rules[i])
		rules[loc++] = i;
		}