From: Kees Cook <keescook@chromium.org>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Paolo Abeni <pabeni@redhat.com>, netdev <netdev@vger.kernel.org>,
Coco Li <lixiaoyan@google.com>, Tariq Toukan <tariqt@nvidia.com>,
Saeed Mahameed <saeedm@nvidia.com>,
Leon Romanovsky <leon@kernel.org>
Subject: Re: [PATCH v4 net-next 12/12] mlx5: support BIG TCP packets
Date: Sat, 7 May 2022 00:46:17 -0700 [thread overview]
Message-ID: <202205070026.11B94DF@keescook> (raw)
In-Reply-To: <20220506185405.527a79d4@kernel.org>
On Fri, May 06, 2022 at 06:54:05PM -0700, Jakub Kicinski wrote:
> On Fri, 6 May 2022 17:32:43 -0700 Eric Dumazet wrote:
> > On Fri, May 6, 2022 at 3:34 PM Jakub Kicinski <kuba@kernel.org> wrote:
> > > In function ‘fortify_memcpy_chk’,
> > > inlined from ‘mlx5e_sq_xmit_wqe’ at ../drivers/net/ethernet/mellanox/mlx5/core/en_tx.c:408:5:
> > > ../include/linux/fortify-string.h:328:25: warning: call to ‘__write_overflow_field’ declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
> > > 328 | __write_overflow_field(p_size_field, size);
> > > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ah, my old friend, inline_hdr.start. Looks a lot like another one I fixed
earlier in ad5185735f7d ("net/mlx5e: Avoid field-overflowing memcpy()"):
if (attr->ihs) {
if (skb_vlan_tag_present(skb)) {
eseg->inline_hdr.sz |= cpu_to_be16(attr->ihs + VLAN_HLEN);
mlx5e_insert_vlan(eseg->inline_hdr.start, skb, attr->ihs);
stats->added_vlan_packets++;
} else {
eseg->inline_hdr.sz |= cpu_to_be16(attr->ihs);
memcpy(eseg->inline_hdr.start, skb->data, attr->ihs);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
}
dseg += wqe_attr->ds_cnt_inl;
This is actually two regions, 2 bytes in eseg and everything else in
dseg. Splitting the memcpy() will work:
memcpy(eseg->inline_hdr.start, skb->data, sizeof(eseg->inline_hdr.start));
memcpy(dseg, skb->data + sizeof(eseg->inline_hdr.start), ihs - sizeof(eseg->inline_hdr.start));
But this begs the question, what is validating that ihs -2 is equal to
wqe_attr->ds_cnt_inl * sizeof(*desg) ?
And how is wqe bounds checked?
> > > In function ‘fortify_memcpy_chk’,
> > > inlined from ‘mlx5i_sq_xmit’ at ../drivers/net/ethernet/mellanox/mlx5/core/en_tx.c:962:4:
> > > ../include/linux/fortify-string.h:328:25: warning: call to ‘__write_overflow_field’ declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
> > > 328 | __write_overflow_field(p_size_field, size);
> > > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And moar inline_hdr.start:
if (attr.ihs) {
memcpy(eseg->inline_hdr.start, skb->data, attr.ihs);
eseg->inline_hdr.sz = cpu_to_be16(attr.ihs);
dseg += wqe_attr.ds_cnt_inl;
}
again, a split:
memcpy(eseg->inline_hdr.start, skb->data, sizeof(eseg->inline_hdr.start));
eseg->inline_hdr.sz = cpu_to_be16(attr.ihs);
memcpy(dseg, skb->data + sizeof(eseg->inline_hdr.start), ihs - sizeof(eseg->inline_hdr.start));
dseg += wqe_attr.ds_cnt_inl;
And the same bounds questions come up.
It'd be really nice to get some kind of generalized "copy out of
skb->data with bounds checking that may likely all get reduced to
constant checks".
--
Kees Cook
next prev parent reply other threads:[~2022-05-07 7:46 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-06 15:30 [PATCH v4 net-next 00/12] tcp: BIG TCP implementation Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 01/12] net: add IFLA_TSO_{MAX_SIZE|SEGS} attributes Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 02/12] ipv6: add IFLA_GSO_IPV6_MAX_SIZE Eric Dumazet
2022-05-06 20:48 ` Alexander H Duyck
2022-05-06 21:20 ` Eric Dumazet
2022-05-06 21:37 ` Alexander Duyck
2022-05-06 21:50 ` Eric Dumazet
2022-05-06 22:16 ` Alexander Duyck
2022-05-06 22:25 ` Eric Dumazet
2022-05-06 22:26 ` Jakub Kicinski
2022-05-06 22:46 ` Alexander Duyck
2022-05-06 15:30 ` [PATCH v4 net-next 03/12] tcp_cubic: make hystart_ack_delay() aware of BIG TCP Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 04/12] ipv6: add struct hop_jumbo_hdr definition Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 05/12] ipv6/gso: remove temporary HBH/jumbo header Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 06/12] ipv6/gro: insert " Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 07/12] ipv6: add IFLA_GRO_IPV6_MAX_SIZE Eric Dumazet
2022-05-06 21:06 ` Alexander H Duyck
2022-05-06 21:22 ` Eric Dumazet
2022-05-06 22:01 ` Alexander Duyck
2022-05-06 22:08 ` Eric Dumazet
2022-05-09 18:17 ` [PATCH 0/2] Replacements for patches 2 and 7 in Big TCP series Alexander Duyck
2022-05-09 18:17 ` [PATCH 1/2] net: Allow gso_max_size to exceed 65536 Alexander Duyck
2022-05-09 18:17 ` [PATCH 2/2] net: Allow gro_max_size " Alexander Duyck
2022-05-09 18:54 ` [PATCH 0/2] Replacements for patches 2 and 7 in Big TCP series Eric Dumazet
2022-05-09 20:21 ` Alexander H Duyck
2022-05-09 20:31 ` Eric Dumazet
2022-05-09 21:05 ` Alexander Duyck
2022-05-06 15:30 ` [PATCH v4 net-next 08/12] ipv6: Add hop-by-hop header to jumbograms in ip6_output Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 09/12] net: loopback: enable BIG TCP packets Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 10/12] veth: " Eric Dumazet
2022-05-06 22:33 ` Jakub Kicinski
2022-05-06 15:30 ` [PATCH v4 net-next 11/12] mlx4: support " Eric Dumazet
2022-05-06 15:30 ` [PATCH v4 net-next 12/12] mlx5: " Eric Dumazet
2022-05-06 22:34 ` Jakub Kicinski
2022-05-07 0:32 ` Eric Dumazet
2022-05-07 1:54 ` Jakub Kicinski
2022-05-07 1:54 ` Jakub Kicinski
2022-05-07 2:10 ` Eric Dumazet
2022-05-07 2:37 ` Jakub Kicinski
2022-05-07 2:43 ` Eric Dumazet
2022-05-07 7:16 ` Kees Cook
2022-05-07 7:23 ` Kees Cook
2022-05-07 6:57 ` Kees Cook
2022-05-07 7:46 ` Kees Cook [this message]
2022-05-07 11:19 ` Eric Dumazet
2022-05-09 8:05 ` David Laight
2022-05-09 23:20 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202205070026.11B94DF@keescook \
--to=keescook@chromium.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=lixiaoyan@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.