Flag ``ETHTOOL_A_STRSET_COUNTS_ONLY`` tells the kernel to only return the string counts of the sets, but, when req_info->counts_only tries to read the tb[ETHTOOL_A_STRSET_COUNTS_ONLY] it gets out of bound.
- net/ethtool/strset.c The bug seems to trigger in this line: req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; Fix it by NULL checking for req_info->counts_only while reading from tb[ETHTOOL_A_STRSET_COUNTS_ONLY]. Reported-by: syzbot+9d1389df89299fa36...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=730deff8fe9954a5e317924d9acff98d9c64a770 Signed-off-by: Anmol Karn <anmol.karan...@gmail.com> --- When I tried to reduce the index of tb[] by 1, the crash reproducer was not working anymore, hence it's probably reading from tb[ETHTOOL_A_STRSET_STRINGSETS], but this won't give the strset 'count' and hence is not a plausible fix. But checking for the req_info->counts_only seems legit. If I have missed something please let me know, and I will work towards fixing it in next version. net/ethtool/strset.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c index 82707b662fe4..20a7b36698f3 100644 --- a/net/ethtool/strset.c +++ b/net/ethtool/strset.c @@ -174,7 +174,8 @@ static int strset_parse_request(struct ethnl_req_info *req_base, if (ret < 0) return ret; - req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; + if (req_info->counts_only) + req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; nla_for_each_nested(attr, nest, rem) { u32 id; -- 2.28.0
