From: Kees Cook <keescook@chromium.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Paolo Abeni <pabeni@redhat.com>, netdev <netdev@vger.kernel.org>,
Coco Li <lixiaoyan@google.com>, Tariq Toukan <tariqt@nvidia.com>,
Saeed Mahameed <saeedm@nvidia.com>,
Leon Romanovsky <leon@kernel.org>
Subject: Re: [PATCH v4 net-next 12/12] mlx5: support BIG TCP packets
Date: Sat, 7 May 2022 00:16:37 -0700 [thread overview]
Message-ID: <202205070000.031D2D4@keescook> (raw)
In-Reply-To: <CANn89iLZJpTgnaEVxWvEaObrebvwivAmX+DGPGeibq5R0BKOBg@mail.gmail.com>
On Fri, May 06, 2022 at 07:43:13PM -0700, Eric Dumazet wrote:
> On Fri, May 6, 2022 at 7:37 PM Jakub Kicinski <kuba@kernel.org> wrote:
> >
> > On Fri, 6 May 2022 19:10:48 -0700 Eric Dumazet wrote:
> > > On Fri, May 6, 2022 at 6:54 PM Jakub Kicinski <kuba@kernel.org> wrote:
> > > > Without our patches drivers/net/ethernet/mellanox/mlx5/core/ builds
> > > > cleanly. Gotta be the new W=1 filed overflow warnings, let's bother
> > > > Kees.
> > >
> > > Note that inline_hdr.start is a 2 byte array.
> > >
> > > Obviously mlx5 driver copies more than 2 bytes of inlined headers.
> > >
> > > mlx5e_insert_vlan(eseg->inline_hdr.start, skb, attr->ihs)
> > > is called already with attr->ihs > 2
> > >
> > > So it should already complain ?
> >
> > It's a static checker, I presume it ignores attr->ihs because
> > it can't prove its value is indeed > 2. Unpleasant :/
>
> Well, the unpleasant thing is that I do not see a way to get rid of
> this warning.
> Networking is full of variable sized headers.
So... this _is_ supposed to be copying off the end of struct vlan_ethhdr?
In that case, either don't use the vhdr cast, or add a flex array to
the end of the header. e.g. (untested):
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
index 2dc48406cd08..990476b2e595 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
@@ -94,13 +94,18 @@ static inline u16 mlx5e_calc_min_inline(enum mlx5_inline_modes mode,
static inline void mlx5e_insert_vlan(void *start, struct sk_buff *skb, u16 ihs)
{
struct vlan_ethhdr *vhdr = (struct vlan_ethhdr *)start;
- int cpy1_sz = 2 * ETH_ALEN;
- int cpy2_sz = ihs - cpy1_sz;
+ void *data = skb->data;
+ const u16 cpy1_sz = sizeof(vhdr->addrs);
+ const u16 cpy2_sz = sizeof(vhdr->h_vlan_encapsulated_proto);
+ const u16 cpy3_sz = ihs - cpy1_sz - cpy2_sz;
- memcpy(&vhdr->addrs, skb->data, cpy1_sz);
+ memcpy(&vhdr->addrs, data, cpy1_sz);
+ data += sizeof(cpy1_sz);
vhdr->h_vlan_proto = skb->vlan_proto;
vhdr->h_vlan_TCI = cpu_to_be16(skb_vlan_tag_get(skb));
- memcpy(&vhdr->h_vlan_encapsulated_proto, skb->data + cpy1_sz, cpy2_sz);
+ memcpy(&vhdr->h_vlan_encapsulated_proto, data, cpy2_sz);
+ data += sizeof(cpy2_sz);
+ memcpy(&vhdr->h_vlan_contents, data, cpy3_sz);
}
static inline void
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index 2be4dd7e90a9..8178e20ce5b3 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -44,6 +44,7 @@ struct vlan_hdr {
* @h_vlan_proto: ethernet protocol
* @h_vlan_TCI: priority and VLAN ID
* @h_vlan_encapsulated_proto: packet type ID or len
+ * @h_vlan_contents: The rest of the packet
*/
struct vlan_ethhdr {
struct_group(addrs,
@@ -53,6 +54,7 @@ struct vlan_ethhdr {
__be16 h_vlan_proto;
__be16 h_vlan_TCI;
__be16 h_vlan_encapsulated_proto;
+ u8 h_vlan_contents[];
};
#include <linux/skbuff.h>
I'm still learning the skb helpers, but shouldn't this be using something
similar to skb_pull() that would do bounds checking, etc? Open-coded
accesses of skb->data have shown a repeated pattern of being a source
of flaws:
https://github.com/KSPP/linux/issues/140
And speaking to the existing code, even if skb->data were
bounds-checked, what are the bounds of "start"?
--
Kees Cook
next prev parent reply other threads:[~2022-05-07 7:16 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-06 15:30 [PATCH v4 net-next 00/12] tcp: BIG TCP implementation Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 01/12] net: add IFLA_TSO_{MAX_SIZE|SEGS} attributes Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 02/12] ipv6: add IFLA_GSO_IPV6_MAX_SIZE Eric Dumazet
2022-05-06 20:48 ` Alexander H Duyck
2022-05-06 21:20 ` Eric Dumazet
2022-05-06 21:37 ` Alexander Duyck
2022-05-06 21:50 ` Eric Dumazet
2022-05-06 22:16 ` Alexander Duyck
2022-05-06 22:25 ` Eric Dumazet
2022-05-06 22:26 ` Jakub Kicinski
2022-05-06 22:46 ` Alexander Duyck
2022-05-06 15:30 ` [PATCH v4 net-next 03/12] tcp_cubic: make hystart_ack_delay() aware of BIG TCP Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 04/12] ipv6: add struct hop_jumbo_hdr definition Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 05/12] ipv6/gso: remove temporary HBH/jumbo header Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 06/12] ipv6/gro: insert " Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 07/12] ipv6: add IFLA_GRO_IPV6_MAX_SIZE Eric Dumazet
2022-05-06 21:06 ` Alexander H Duyck
2022-05-06 21:22 ` Eric Dumazet
2022-05-06 22:01 ` Alexander Duyck
2022-05-06 22:08 ` Eric Dumazet
2022-05-09 18:17 ` [PATCH 0/2] Replacements for patches 2 and 7 in Big TCP series Alexander Duyck
2022-05-09 18:17 ` [PATCH 1/2] net: Allow gso_max_size to exceed 65536 Alexander Duyck
2022-05-09 18:17 ` [PATCH 2/2] net: Allow gro_max_size " Alexander Duyck
2022-05-09 18:54 ` [PATCH 0/2] Replacements for patches 2 and 7 in Big TCP series Eric Dumazet
2022-05-09 20:21 ` Alexander H Duyck
2022-05-09 20:31 ` Eric Dumazet
2022-05-09 21:05 ` Alexander Duyck
2022-05-06 15:30 ` [PATCH v4 net-next 08/12] ipv6: Add hop-by-hop header to jumbograms in ip6_output Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 09/12] net: loopback: enable BIG TCP packets Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 10/12] veth: " Eric Dumazet
2022-05-06 22:33 ` Jakub Kicinski
2022-05-06 15:30 ` [PATCH v4 net-next 11/12] mlx4: support " Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 12/12] mlx5: " Eric Dumazet
2022-05-06 22:34 ` Jakub Kicinski
2022-05-07 0:32 ` Eric Dumazet
2022-05-07 1:54 ` Jakub Kicinski
2022-05-07 1:54 ` Jakub Kicinski
2022-05-07 2:10 ` Eric Dumazet
2022-05-07 2:37 ` Jakub Kicinski
2022-05-07 2:43 ` Eric Dumazet
2022-05-07 7:16 ` Kees Cook [this message]
2022-05-07 7:23 ` Kees Cook
2022-05-07 6:57 ` Kees Cook
2022-05-07 7:46 ` Kees Cook
2022-05-07 11:19 ` Eric Dumazet
2022-05-09 8:05 ` David Laight
2022-05-09 23:20 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202205070000.031D2D4@keescook \
--to=keescook@chromium.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=lixiaoyan@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.