From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zekun Shen <bruceshenzk@gmail.com>,
Brendan Dolan-Gavitt <brendandg@nyu.edu>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
peppe.cavallaro@st.com, alexandre.torgue@foss.st.com,
joabreu@synopsys.com, kuba@kernel.org, mcoquelin.stm32@gmail.com,
netdev@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH AUTOSEL 5.15 22/68] stmmac_pci: Fix underflow size in stmmac_rx
Date: Tue, 30 Nov 2021 09:46:18 -0500 [thread overview]
Message-ID: <20211130144707.944580-22-sashal@kernel.org> (raw)
In-Reply-To: <20211130144707.944580-1-sashal@kernel.org>
From: Zekun Shen <bruceshenzk@gmail.com>
[ Upstream commit 0f296e782f21dc1c55475a3c107ac68ab09cc1cf ]
This bug report came up when we were testing the device driver
by fuzzing. It shows that buf1_len can get underflowed and be
0xfffffffc (4294967292).
This bug is triggerable with a compromised/malfunctioning device.
We found the bug through QEMU emulation tested the patch with
emulation. We did NOT test it on real hardware.
Attached is the bug report by fuzzing.
BUG: KASAN: use-after-free in stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
Read of size 4294967292 at addr ffff888016358000 by task ksoftirqd/0/9
CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
__kasan_report.cold+0x37/0x7c
? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
kasan_report+0xe/0x20
check_memory_region+0x15a/0x1d0
memcpy+0x20/0x50
stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
? stmmac_suspend+0x850/0x850 [stmmac]
? __next_timer_interrupt+0xba/0xf0
net_rx_action+0x363/0xbd0
? call_timer_fn+0x240/0x240
? __switch_to_asm+0x40/0x70
? napi_busy_loop+0x520/0x520
? __schedule+0x839/0x15a0
__do_softirq+0x18c/0x634
? takeover_tasklets+0x5f0/0x5f0
run_ksoftirqd+0x15/0x20
smpboot_thread_fn+0x2f1/0x6b0
? smpboot_unregister_percpu_thread+0x160/0x160
? __kthread_parkme+0x80/0x100
? smpboot_unregister_percpu_thread+0x160/0x160
kthread+0x2b5/0x3b0
? kthread_create_on_node+0xd0/0xd0
ret_from_fork+0x22/0x40
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 0ab20e2f984b9..348ad489f154c 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5153,12 +5153,13 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
if (likely(!(status & rx_not_ls)) &&
(likely(priv->synopsys_id >= DWMAC_CORE_4_00) ||
unlikely(status != llc_snap))) {
- if (buf2_len)
+ if (buf2_len) {
buf2_len -= ETH_FCS_LEN;
- else
+ len -= ETH_FCS_LEN;
+ } else if (buf1_len) {
buf1_len -= ETH_FCS_LEN;
-
- len -= ETH_FCS_LEN;
+ len -= ETH_FCS_LEN;
+ }
}
if (!skb) {
--
2.33.0
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zekun Shen <bruceshenzk@gmail.com>,
Brendan Dolan-Gavitt <brendandg@nyu.edu>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
peppe.cavallaro@st.com, alexandre.torgue@foss.st.com,
joabreu@synopsys.com, kuba@kernel.org, mcoquelin.stm32@gmail.com,
netdev@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH AUTOSEL 5.15 22/68] stmmac_pci: Fix underflow size in stmmac_rx
Date: Tue, 30 Nov 2021 09:46:18 -0500 [thread overview]
Message-ID: <20211130144707.944580-22-sashal@kernel.org> (raw)
In-Reply-To: <20211130144707.944580-1-sashal@kernel.org>
From: Zekun Shen <bruceshenzk@gmail.com>
[ Upstream commit 0f296e782f21dc1c55475a3c107ac68ab09cc1cf ]
This bug report came up when we were testing the device driver
by fuzzing. It shows that buf1_len can get underflowed and be
0xfffffffc (4294967292).
This bug is triggerable with a compromised/malfunctioning device.
We found the bug through QEMU emulation tested the patch with
emulation. We did NOT test it on real hardware.
Attached is the bug report by fuzzing.
BUG: KASAN: use-after-free in stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
Read of size 4294967292 at addr ffff888016358000 by task ksoftirqd/0/9
CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
__kasan_report.cold+0x37/0x7c
? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
kasan_report+0xe/0x20
check_memory_region+0x15a/0x1d0
memcpy+0x20/0x50
stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac]
? stmmac_suspend+0x850/0x850 [stmmac]
? __next_timer_interrupt+0xba/0xf0
net_rx_action+0x363/0xbd0
? call_timer_fn+0x240/0x240
? __switch_to_asm+0x40/0x70
? napi_busy_loop+0x520/0x520
? __schedule+0x839/0x15a0
__do_softirq+0x18c/0x634
? takeover_tasklets+0x5f0/0x5f0
run_ksoftirqd+0x15/0x20
smpboot_thread_fn+0x2f1/0x6b0
? smpboot_unregister_percpu_thread+0x160/0x160
? __kthread_parkme+0x80/0x100
? smpboot_unregister_percpu_thread+0x160/0x160
kthread+0x2b5/0x3b0
? kthread_create_on_node+0xd0/0xd0
ret_from_fork+0x22/0x40
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 0ab20e2f984b9..348ad489f154c 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5153,12 +5153,13 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
if (likely(!(status & rx_not_ls)) &&
(likely(priv->synopsys_id >= DWMAC_CORE_4_00) ||
unlikely(status != llc_snap))) {
- if (buf2_len)
+ if (buf2_len) {
buf2_len -= ETH_FCS_LEN;
- else
+ len -= ETH_FCS_LEN;
+ } else if (buf1_len) {
buf1_len -= ETH_FCS_LEN;
-
- len -= ETH_FCS_LEN;
+ len -= ETH_FCS_LEN;
+ }
}
if (!skb) {
--
2.33.0
next prev parent reply other threads:[~2021-11-30 14:50 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 14:45 [PATCH AUTOSEL 5.15 01/68] ASoC: mediatek: mt8173-rt5650: Rename Speaker control to Ext Spk Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:45 ` [PATCH AUTOSEL 5.15 02/68] ASoC: Intel: sof_sdw: Add support for SKU 0AF3 product Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:45 ` [PATCH AUTOSEL 5.15 03/68] ASoC: Intel: soc-acpi: add SKU 0AF3 SoundWire configuration Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 04/68] ASoC: Intel: sof_sdw: Add support for SKU 0B00 and 0B01 products Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 05/68] ASoC: Intel: sof_sdw: Add support for SKU 0B11 product Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 06/68] ASoC: Intel: sof_sdw: Add support for SKU 0B13 product Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 07/68] ASoC: Intel: soc-acpi: add SKU 0B13 SoundWire configuration Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 08/68] ASoC: Intel: sof_sdw: Add support for SKU 0B29 product Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 09/68] ASoC: Intel: soc-acpi: add SKU 0B29 SoundWire configuration Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 10/68] ASoC: Intel: sof_sdw: Add support for SKU 0B12 product Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 11/68] ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 12/68] ASoC: rt5682: Re-detect the combo jack after resuming Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 13/68] ASoC: mediatek: mt8173: Fix debugfs registration for components Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 14/68] ASoC: qdsp6: q6adm: improve error reporting Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 15/68] ASoC: qdsp6: q6routing: validate port id before setting up route Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 16/68] xen/privcmd: make option visible in Kconfig Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 17/68] NFSv4.1: handle NFS4ERR_NOSPC by CREATE_SESSION Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 18/68] scsi: ufs: ufshpb: Fix warning in ufshpb_set_hpb_read_to_upiu() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 19/68] scsi: scsi_debug: Fix type in min_t to avoid stack OOB Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 20/68] scsi: ufs: ufs-mediatek: Add put_device() after of_find_device_by_node() Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 21/68] atlantic: fix double-free in aq_ring_tx_clean Sasha Levin
2021-11-30 14:46 ` Sasha Levin [this message]
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 22/68] stmmac_pci: Fix underflow size in stmmac_rx Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 23/68] HID: ft260: fix i2c probing for hwmon devices Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 24/68] HID: Ignore battery for Elan touchscreen on HP Envy X360 15-eu0xxx Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 25/68] HID: multitouch: Fix Iiyama ProLite T1931SAW (0eef:0001 again!) Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 26/68] parisc: Increase FRAME_WARN to 2048 bytes on parisc Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 27/68] parisc: Provide an extru_safe() macro to extract unsigned bits Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 28/68] parisc: Fix extraction of hash lock bits in syscall.S Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 29/68] parisc: Convert PTE lookup to use extru_safe() macro Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 30/68] selftests/tc-testing: match any qdisc type Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 31/68] selftests/tc-testings: Be compatible with newer tc output Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 32/68] block: avoid to touch unloaded module instance when opening bdev Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 33/68] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 34/68] locking/rwsem: Optimize down_read_trylock() under highly contended case Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 35/68] i2c: i801: Fix interrupt storm from SMB_ALERT signal Sasha Levin
2021-12-03 8:30 ` Jean Delvare
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 36/68] mmc: spi: Add device-tree SPI IDs Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 37/68] net: chelsio: cxgb4vf: Fix an error code in cxgb4vf_pci_probe() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 38/68] cifs: populate server_hostname for extra channels Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 39/68] smb2: clarify rc initialization in smb2_reconnect Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 40/68] nvmet-tcp: fix a race condition between release_queue and io_work Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 41/68] nvmet-tcp: add an helper to free the cmd buffers Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 42/68] nvmet-tcp: fix memory leak when performing a controller reset Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 43/68] nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 44/68] nvme-tcp: fix memory leak when freeing a queue Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 45/68] nvme-pci: add NO APST quirk for Kioxia device Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 46/68] nvme-fabrics: ignore invalid fast_io_fail_tmo values Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 47/68] nvme: fix write zeroes pi Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 48/68] xen: add "not_essential" flag to struct xenbus_driver Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 49/68] xen: flag xen_drm_front to be not essential for system boot Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 50/68] xen: flag hvc_xen " Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 51/68] xen: flag pvcalls-front " Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 52/68] xen: flag xen_snd_front " Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 53/68] x86/boot: Mark prepare_command_line() __init Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 54/68] PM: hibernate: Fix snapshot partial write lengths Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 55/68] drm/amdgpu: Fix MMIO HDP flush on SRIOV Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 56/68] drm/amdgpu: Fix double free of dmabuf Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 57/68] drm/amd/display: Fixed DSC would not PG after removing DSC stream Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 58/68] drm/amdkfd: handle VMA remove race Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 59/68] drm/amdgpu: fix byteorder error in amdgpu discovery Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 60/68] drm/amd/display: update bios scratch when setting backlight Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 61/68] vhost-vdpa: clean irqs before reseting vdpa device Sasha Levin
2021-11-30 14:46 ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 62/68] MIPS: boot/compressed/: add __ashldi3 to target for ZSTD compression Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 63/68] nfc: virtual_ncidev: change default device permissions Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 64/68] net: qed: fix the array may be out of bound Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 65/68] net: mscc: ocelot: create a function that replaces an existing VCAP filter Sasha Levin
2021-12-04 14:46 ` Vladimir Oltean
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 66/68] net: ptp: add a definition for the UDP port for IEEE 1588 general messages Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 67/68] io_uring: Fix undefined-behaviour in io_issue_sqe Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 68/68] fs: ntfs: Limit NTFS_RW to page sizes smaller than 64k Sasha Levin
2021-11-30 15:16 ` [PATCH AUTOSEL 5.15 01/68] ASoC: mediatek: mt8173-rt5650: Rename Speaker control to Ext Spk Mark Brown
2021-11-30 15:16 ` Mark Brown
2021-11-30 15:16 ` Mark Brown
2021-11-30 15:16 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211130144707.944580-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alexandre.torgue@foss.st.com \
--cc=brendandg@nyu.edu \
--cc=bruceshenzk@gmail.com \
--cc=davem@davemloft.net \
--cc=joabreu@synopsys.com \
--cc=kuba@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-stm32@st-md-mailman.stormreply.com \
--cc=mcoquelin.stm32@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=peppe.cavallaro@st.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.