Patch "mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0a9858cc6c6aefad4ff5cc708d9bc40e21d0d74f
Author: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
Date:   Mon Apr 17 05:07:18 2023 -0700

    mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
    
    [ Upstream commit c0e73276f0fcbbd3d4736ba975d7dc7a48791b0c ]
    
    Function mlxfw_mfa2_tlv_multi_get() returns NULL if 'tlv' in
    question does not pass checks in mlxfw_mfa2_tlv_payload_get(). This
    behaviour may lead to NULL pointer dereference in 'multi->total_len'.
    Fix this issue by testing mlxfw_mfa2_tlv_multi_get()'s return value
    against NULL.
    
    Found by Linux Verification Center (linuxtesting.org) with static
    analysis tool SVACE.
    
    Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process")
    Co-developed-by: Natalia Petrova <n.petrova@xxxxxxxxxx>
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
    Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230417120718.52325-1-n.zhandarovich@xxxxxxxxxx
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
index 017d68f1e1232..972c571b41587 100644
--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
+++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
@@ -31,6 +31,8 @@ mlxfw_mfa2_tlv_next(const struct mlxfw_mfa2_file *mfa2_file,
 
 	if (tlv->type == MLXFW_MFA2_TLV_MULTI_PART) {
 		multi = mlxfw_mfa2_tlv_multi_get(mfa2_file, tlv);
+		if (!multi)
+			return NULL;
 		tlv_len = NLA_ALIGN(tlv_len + be16_to_cpu(multi->total_len));
 	}
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux