| Message ID | 20220316083948.GC30941@kili (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | RDMA/nldev: prevent underflow in nldev_stat_set_counter_dynamic_doit() | expand |
On Wed, Mar 16, 2022 at 11:39:48AM +0300, Dan Carpenter wrote: > This code checks "index" for an upper bound but it does not check for > negatives. Change the type to unsigned to prevent underflows. > > Fixes: 3c3c1f141639 ("RDMA/nldev: Allow optional-counter status configuration through RDMA netlink") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > Could we not use a nldev_policy[] to tighten the bounds checking even > more? We are doing it, when calling to nlmsg_parse() at the beginning of nldev_stat_set_doit(). The entry_attr, which used as input to index, is tb[RDMA_NLDEV_ATTR_STAT_HWCOUNTER_INDEX]. However it is not enough and we still need your change, because input can be large enough to be casted to negative value. Thanks, Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
On Wed, Mar 16, 2022 at 11:39:48AM +0300, Dan Carpenter wrote: > This code checks "index" for an upper bound but it does not check for > negatives. Change the type to unsigned to prevent underflows. > > Fixes: 3c3c1f141639 ("RDMA/nldev: Allow optional-counter status configuration through RDMA netlink") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Reviewed-by: Leon Romanovsky <leonro@nvidia.com> > --- > Could we not use a nldev_policy[] to tighten the bounds checking even > more? > > drivers/infiniband/core/nldev.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Applied to for-next, thanks Jason
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c index f5aacaf7fb8e..ca24ce34da76 100644 --- a/drivers/infiniband/core/nldev.c +++ b/drivers/infiniband/core/nldev.c @@ -1951,9 +1951,10 @@ static int nldev_stat_set_counter_dynamic_doit(struct nlattr *tb[], u32 port) { struct rdma_hw_stats *stats; - int rem, i, index, ret = 0; struct nlattr *entry_attr; unsigned long *target; + int rem, i, ret = 0; + u32 index; stats = ib_get_hw_stats_port(device, port); if (!stats)
This code checks "index" for an upper bound but it does not check for negatives. Change the type to unsigned to prevent underflows. Fixes: 3c3c1f141639 ("RDMA/nldev: Allow optional-counter status configuration through RDMA netlink") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Could we not use a nldev_policy[] to tighten the bounds checking even more? drivers/infiniband/core/nldev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)