qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge: CVE-2024-35891: net: phy: micrel: Fix potential null pointer dereference 

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/4984

JIRA: https://issues.redhat.com/browse/RHEL-37224  
CVE: CVE-2024-35891

```
net: phy: micrel: Fix potential null pointer dereference

In lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may
return NULL as ptp_header due to abnormal packet type or corrupted packet.
Fix this bug by adding ptp_header check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: ece19502834d ("net: phy: micrel: 1588 support for LAN8814 phy")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20240329061631.33199-1-amishin@t-argos.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 96c155943a703f0655c0c4cab540f67055960e91)
```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

Approved-by: José Ignacio Tornos Martínez <jtornosm@redhat.com>
Approved-by: Izabela Bakollari <ibakolla@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Rado Vrbovsky <rvrbovsk@redhat.com>
This commit is contained in:
Rado Vrbovsky 2024-09-26 17:54:44 +00:00
parent 5cdbdf8edb 86d1330d95
commit a567d2a1e3
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
drivers/net/phy/micrel.c
View File

@ -2527,7 +2527,7 @@ static void lan8814_txtstamp(struct mii_timestamper *mii_ts,
}
}
static void lan8814_get_sig_rx(struct sk_buff *skb, u16 *sig)
static bool lan8814_get_sig_rx(struct sk_buff *skb, u16 *sig)
{
struct ptp_header *ptp_header;
u32 type;
@ -2537,7 +2537,11 @@ static void lan8814_get_sig_rx(struct sk_buff *skb, u16 *sig)
ptp_header = ptp_parse_header(skb, type);
skb_pull_inline(skb, ETH_HLEN);
if (!ptp_header)
return false;
*sig = (__force u16)(ntohs(ptp_header->sequence_id));
return true;
}
static bool lan8814_match_rx_skb(struct kszphy_ptp_priv *ptp_priv,
@ -2549,7 +2553,8 @@ static bool lan8814_match_rx_skb(struct kszphy_ptp_priv *ptp_priv,
bool ret = false;
u16 skb_sig;
lan8814_get_sig_rx(skb, &skb_sig);
if (!lan8814_get_sig_rx(skb, &skb_sig))
return ret;
/* Iterate over all RX timestamps and match it with the received skbs */
spin_lock_irqsave(&ptp_priv->rx_ts_lock, flags);
@ -2824,7 +2829,7 @@ static int lan8814_ptpci_adjfine(struct ptp_clock_info *ptpci, long scaled_ppm)
return 0;
}
static void lan8814_get_sig_tx(struct sk_buff *skb, u16 *sig)
static bool lan8814_get_sig_tx(struct sk_buff *skb, u16 *sig)
{
struct ptp_header *ptp_header;
u32 type;
@ -2832,7 +2837,11 @@ static void lan8814_get_sig_tx(struct sk_buff *skb, u16 *sig)
type = ptp_classify_raw(skb);
ptp_header = ptp_parse_header(skb, type);
if (!ptp_header)
return false;
*sig = (__force u16)(ntohs(ptp_header->sequence_id));
return true;
}
static void lan8814_match_tx_skb(struct kszphy_ptp_priv *ptp_priv,
@ -2846,7 +2855,8 @@ static void lan8814_match_tx_skb(struct kszphy_ptp_priv *ptp_priv,
spin_lock_irqsave(&ptp_priv->tx_queue.lock, flags);
skb_queue_walk_safe(&ptp_priv->tx_queue, skb, skb_tmp) {
lan8814_get_sig_tx(skb, &skb_sig);
if (!lan8814_get_sig_tx(skb, &skb_sig))
continue;
if (memcmp(&skb_sig, &seq_id, sizeof(seq_id)))
continue;
@ -2900,7 +2910,8 @@ static bool lan8814_match_skb(struct kszphy_ptp_priv *ptp_priv,
spin_lock_irqsave(&ptp_priv->rx_queue.lock, flags);
skb_queue_walk_safe(&ptp_priv->rx_queue, skb, skb_tmp) {
lan8814_get_sig_rx(skb, &skb_sig);
if (!lan8814_get_sig_rx(skb, &skb_sig))
continue;
if (memcmp(&skb_sig, &rx_ts->seq_id, sizeof(rx_ts->seq_id)))
continue;