On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella <mcasc...@redhat.com> wrote: > > rocker_tlv_parse_nested could return early because of no group ids in > the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next > for-loop will deref the NULL pointer.
Someone somehow reserved a new CVE for this bug, published a few days ago here: https://nvd.nist.gov/vuln/detail/CVE-2022-36648. Not only is this not CVE worthy (rocker code does not fall under the KVM virtualization use case [1]) but what's most concerning is that it got a CVSS score of 10 :/ I'm going to dispute this CVE. Hopefully, it will be rejected soon. In any case, can we get this patch merged? [1] https://www.qemu.org/docs/master/system/security.html Thanks, > Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com> > Reported-by: <aray...@icloud.com> > --- > hw/net/rocker/rocker_of_dpa.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c > index b3b8c5bb6d..1611b79227 100644 > --- a/hw/net/rocker/rocker_of_dpa.c > +++ b/hw/net/rocker/rocker_of_dpa.c > @@ -2039,6 +2039,11 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, > OfDpaGroup *group, > rocker_tlv_parse_nested(tlvs, group->l2_flood.group_count, > group_tlvs[ROCKER_TLV_OF_DPA_GROUP_IDS]); > > + if (!tlvs) { > + err = -ROCKER_EINVAL; > + goto err_out; > + } > + > for (i = 0; i < group->l2_flood.group_count; i++) { > group->l2_flood.group_ids[i] = rocker_tlv_get_le32(tlvs[i + 1]); > } > -- > 2.35.3 > -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
