netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* net: mscc: ocelot: issue with uninitialized pointer read in ocelot_flower_parse_key
@ 2021-03-04 10:16 Colin Ian King
  0 siblings, 0 replies; only message in thread
From: Colin Ian King @ 2021-03-04 10:16 UTC (permalink / raw)
  To: Xiaoliang Yang
  Cc: Vladimir Oltean, Claudiu Manoil, Alexandre Belloni,
	UNGLinuxDriver, netdev, linux-kernel

Hi,

Static analysis with Coverity had detected an uninitialized pointer read
in function ocelot_flower_parse_key in
drivers/net/ethernet/mscc/ocelot_flower.c introduced by commit:

commit 75944fda1dfe836fdd406bef6cb3cc8a80f7af83
Author: Xiaoliang Yang <xiaoliang.yang_1@nxp.com>
Date:   Fri Oct 2 15:02:23 2020 +0300

    net: mscc: ocelot: offload ingress skbedit and vlan actions to VCAP IS1

The analysis is as follows:

531

   10. Condition flow_rule_match_key(rule,
FLOW_DISSECTOR_KEY_IPV4_ADDRS), taking true branch.
   11. Condition proto == 2048, taking true branch.

532        if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV4_ADDRS) &&
533            proto == ETH_P_IP) {

   12. var_decl: Declaring variable match without initializer.

534                struct flow_match_ipv4_addrs match;
535                u8 *tmp;
536

   13. Condition filter->block_id == VCAP_ES0, taking false branch.

537                if (filter->block_id == VCAP_ES0) {
538                        NL_SET_ERR_MSG_MOD(extack,
539                                           "VCAP ES0 cannot match on
IP address");
540                        return -EOPNOTSUPP;
541                }
542

   14. Condition filter->block_id == VCAP_IS1, taking true branch.
   Uninitialized pointer read (UNINIT)
   15. uninit_use: Using uninitialized value match.mask.

543                if (filter->block_id == VCAP_IS1 && *(u32
*)&match.mask->dst) {
544                        NL_SET_ERR_MSG_MOD(extack,
545                                           "Key type S1_NORMAL cannot
match on destination IP");
546                        return -EOPNOTSUPP;
547                }

match is declared in line 534 and is not initialized and the
uninitialized match.mask is being dereferenced on line 543. Not sure
what intent was on this and how to fix, hence I'm reporting this issue.

Colin

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-03-04 10:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-04 10:16 net: mscc: ocelot: issue with uninitialized pointer read in ocelot_flower_parse_key Colin Ian King

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).