From: Dan Carpenter dan.carpenter@oracle.com
stable inclusion from stable-v4.19.193 commit 0f2cb08c57edefb0e7b5045e0e3e9980a3d3aa37 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9BHSG CVE: CVE-2021-47159
--------------------------------
commit a269333fa5c0c8e53c92b5a28a6076a28cde3e83 upstream.
If ds->ops->get_sset_count() fails then it "count" is a negative error code such as -EOPNOTSUPP. Because "i" is an unsigned int, the negative error code is type promoted to a very high value and the loop will corrupt memory until the system crashes.
Fix this by checking for error codes and changing the type of "i" to just int.
Fixes: badf3ada60ab ("net: dsa: Provide CPU port statistics to master netdev") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Reviewed-by: Andrew Lunn andrew@lunn.ch Reviewed-by: Florian Fainelli f.fainelli@gmail.com Reviewed-by: Vladimir Oltean olteanv@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com --- net/dsa/master.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/dsa/master.c b/net/dsa/master.c index aae478d611018..22e9ce6e51a48 100644 --- a/net/dsa/master.c +++ b/net/dsa/master.c @@ -87,8 +87,7 @@ static void dsa_master_get_strings(struct net_device *dev, uint32_t stringset, struct dsa_switch *ds = cpu_dp->ds; int port = cpu_dp->index; int len = ETH_GSTRING_LEN; - int mcount = 0, count; - unsigned int i; + int mcount = 0, count, i; uint8_t pfx[4]; uint8_t *ndata;
@@ -118,6 +117,8 @@ static void dsa_master_get_strings(struct net_device *dev, uint32_t stringset, */ ds->ops->get_strings(ds, port, stringset, ndata); count = ds->ops->get_sset_count(ds, port, stringset); + if (count < 0) + return; for (i = 0; i < count; i++) { memmove(ndata + (i * len + sizeof(pfx)), ndata + i * len, len - sizeof(pfx));