[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_
From: |
Mauro Matteo Cascella |
Subject: |
Re: [PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood |
Date: |
Sat, 26 Aug 2023 16:31:20 +0200 |
On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella
<mcascell@redhat.com> wrote:
>
> rocker_tlv_parse_nested could return early because of no group ids in
> the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
> for-loop will deref the NULL pointer.
Someone somehow reserved a new CVE for this bug, published a few days
ago here: https://nvd.nist.gov/vuln/detail/CVE-2022-36648.
Not only is this not CVE worthy (rocker code does not fall under the
KVM virtualization use case [1]) but what's most concerning is that it
got a CVSS score of 10 :/
I'm going to dispute this CVE. Hopefully, it will be rejected soon. In
any case, can we get this patch merged?
[1] https://www.qemu.org/docs/master/system/security.html
Thanks,
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> Reported-by: <arayz_w@icloud.com>
> ---
> hw/net/rocker/rocker_of_dpa.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
> index b3b8c5bb6d..1611b79227 100644
> --- a/hw/net/rocker/rocker_of_dpa.c
> +++ b/hw/net/rocker/rocker_of_dpa.c
> @@ -2039,6 +2039,11 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa,
> OfDpaGroup *group,
> rocker_tlv_parse_nested(tlvs, group->l2_flood.group_count,
> group_tlvs[ROCKER_TLV_OF_DPA_GROUP_IDS]);
>
> + if (!tlvs) {
> + err = -ROCKER_EINVAL;
> + goto err_out;
> + }
> +
> for (i = 0; i < group->l2_flood.group_count; i++) {
> group->l2_flood.group_ids[i] = rocker_tlv_get_le32(tlvs[i + 1]);
> }
> --
> 2.35.3
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
- Re: [PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood,
Mauro Matteo Cascella <=