Re: [PATCH] Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr

From: Yuran Pereira
Date: Fri Nov 03 2023 - 10:19:26 EST

Next message: Ying Hsu: "[PATCH] Bluetooth: Fix deadlock in vhci_send_frame"
Previous message: Chuck Lever III: "Re: [PATCH 0/3] nfs: clean up some tracepoints in the lookup / revalidate codepaths"
In reply to: Yuran Pereira: "Re: [PATCH] Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr"
Next in thread: Justin Chen: "Re: [PATCH] Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On a second thought, it might not be a good idea to return
an error without modifying the caller, since the caller of
this function currently uses this return value without checking
if it's an error.
I guess that explains why the first check returns 0.

```
static int bcmasp_netfilt_wr_m_wake(struct bcmasp_priv *priv,
...
{
...
if (first_byte && (!IS_ALIGNED(offset, 4) || size < 3)) {
match_val = bcmasp_netfilt_rd(priv, nfilt,
ASP_NETFILT_MATCH,
ALIGN_DOWN(offset, 4));
mask_val = bcmasp_netfilt_rd(priv, nfilt,
ASP_NETFILT_MASK,
ALIGN_DOWN(offset, 4));
}

shift = (3 - (offset % 4)) * 8;
match_val &= ~GENMASK(shift + 7, shift);
mask_val &= ~GENMASK(shift + 7, shift);
match_val |= (u32)(*((u8 *)match) << shift);
mask_val |= (u32)(*((u8 *)mask) << shift);

```

Next message: Ying Hsu: "[PATCH] Bluetooth: Fix deadlock in vhci_send_frame"
Previous message: Chuck Lever III: "Re: [PATCH 0/3] nfs: clean up some tracepoints in the lookup / revalidate codepaths"
In reply to: Yuran Pereira: "Re: [PATCH] Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr"
Next in thread: Justin Chen: "Re: [PATCH] Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]