Re: [PATCH net-next] net: mdio: Add netlink interface
From: Andrew Lunn
Date: Tue Mar 07 2023 - 08:49:04 EST
On Mon, Mar 06, 2023 at 10:48:48PM +0000, Russell King (Oracle) wrote:
> On Mon, Mar 06, 2023 at 03:45:16PM -0500, Sean Anderson wrote:
> > +static int mdio_nl_eval(struct mdio_nl_xfer *xfer)
> > +{
> > + struct mdio_nl_insn *insn;
> > + unsigned long timeout;
> > + u16 regs[8] = { 0 };
> > + int pc, ret = 0;
>
> So "pc" is signed.
>
> > + int phy_id, reg, prtad, devad, val;
> > +
> > + timeout = jiffies + msecs_to_jiffies(xfer->timeout_ms);
> > +
> > + mutex_lock(&xfer->mdio->mdio_lock);
> > +
> > + for (insn = xfer->prog, pc = 0;
> > + pc < xfer->prog_len;
>
> xfer->prog_len is signed, so this is a signed comparison.
>
> > + case MDIO_NL_OP_JEQ:
> > + if (__arg_ri(insn->arg0, regs) ==
> > + __arg_ri(insn->arg1, regs))
> > + pc += (s16)__arg_i(insn->arg2);
>
> This adds a signed 16-bit integer to pc, which can make pc negative.
>
> And so the question becomes... what prevents pc becoming negative
> and then trying to use a negative number as an index?
I don't know ebpf very well, but would it of caught this? I know the
aim of this is to be simple, but due to its simplicity, we are loosing
out on all the inherent safety of eBPF. Is a eBPF interface all that
complex? I assume you just need to add some way to identify MDIO
busses and kfunc to perform a read on the bus?
Andrew