Re: [Intel-wired-lan] [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <horms@kernel.org>
To: Martyna Szapar-Mudlaw <martyna.szapar-mudlaw@linux.intel.com>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
	Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Subject: Re: [Intel-wired-lan] [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()
Date: Fri, 28 Feb 2025 17:09:39 +0000	[thread overview]
Message-ID: <20250228170939.GK1615191@kernel.org> (raw)
In-Reply-To: <20250225090847.513849-8-martyna.szapar-mudlaw@linux.intel.com>

On Tue, Feb 25, 2025 at 10:08:49AM +0100, Martyna Szapar-Mudlaw wrote:
> From: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
> 
> Fix using the untrusted value of proto->raw.pkt_len in function
> ice_vc_fdir_parse_raw() by verifying if it does not exceed the
> VIRTCHNL_MAX_SIZE_RAW_PACKET value.
> 
> Fixes: 99f419df8a5c ("ice: enable FDIR filters from raw binary patterns for VFs")
> Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
> Signed-off-by: Martyna Szapar-Mudlaw <martyna.szapar-mudlaw@linux.intel.com>
> ---
>  .../ethernet/intel/ice/ice_virtchnl_fdir.c    | 25 +++++++++++++------
>  1 file changed, 17 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
> index 14e3f0f89c78..6250629ee8f9 100644
> --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
> +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
> @@ -835,18 +835,27 @@ ice_vc_fdir_parse_raw(struct ice_vf *vf,
>  	u8 *pkt_buf, *msk_buf __free(kfree);
>  	struct ice_parser_result rslt;
>  	struct ice_pf *pf = vf->pf;
> +	u16 pkt_len, udp_port = 0;
>  	struct ice_parser *psr;
>  	int status = -ENOMEM;
>  	struct ice_hw *hw;
> -	u16 udp_port = 0;
>  
> -	pkt_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
> -	msk_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
> +	if (!proto->raw.pkt_len)
> +		return -EINVAL;
> +
> +	pkt_len = proto->raw.pkt_len;

Hi Martyna,

A check is made for !proto->raw.pkt_len above.
And a check is made for !pkt_len below.

This seems redundant.

> +
> +	if (!pkt_len || pkt_len > VIRTCHNL_MAX_SIZE_RAW_PACKET)
> +		return -EINVAL;

...

WARNING: multiple messages have this Message-ID (diff)

From: Simon Horman <horms@kernel.org>
To: Martyna Szapar-Mudlaw <martyna.szapar-mudlaw@linux.intel.com>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
	Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Subject: Re: [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()
Date: Fri, 28 Feb 2025 17:09:39 +0000	[thread overview]
Message-ID: <20250228170939.GK1615191@kernel.org> (raw)
In-Reply-To: <20250225090847.513849-8-martyna.szapar-mudlaw@linux.intel.com>

On Tue, Feb 25, 2025 at 10:08:49AM +0100, Martyna Szapar-Mudlaw wrote:
> From: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
> 
> Fix using the untrusted value of proto->raw.pkt_len in function
> ice_vc_fdir_parse_raw() by verifying if it does not exceed the
> VIRTCHNL_MAX_SIZE_RAW_PACKET value.
> 
> Fixes: 99f419df8a5c ("ice: enable FDIR filters from raw binary patterns for VFs")
> Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
> Signed-off-by: Martyna Szapar-Mudlaw <martyna.szapar-mudlaw@linux.intel.com>
> ---
>  .../ethernet/intel/ice/ice_virtchnl_fdir.c    | 25 +++++++++++++------
>  1 file changed, 17 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
> index 14e3f0f89c78..6250629ee8f9 100644
> --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
> +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
> @@ -835,18 +835,27 @@ ice_vc_fdir_parse_raw(struct ice_vf *vf,
>  	u8 *pkt_buf, *msk_buf __free(kfree);
>  	struct ice_parser_result rslt;
>  	struct ice_pf *pf = vf->pf;
> +	u16 pkt_len, udp_port = 0;
>  	struct ice_parser *psr;
>  	int status = -ENOMEM;
>  	struct ice_hw *hw;
> -	u16 udp_port = 0;
>  
> -	pkt_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
> -	msk_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
> +	if (!proto->raw.pkt_len)
> +		return -EINVAL;
> +
> +	pkt_len = proto->raw.pkt_len;

Hi Martyna,

A check is made for !proto->raw.pkt_len above.
And a check is made for !pkt_len below.

This seems redundant.

> +
> +	if (!pkt_len || pkt_len > VIRTCHNL_MAX_SIZE_RAW_PACKET)
> +		return -EINVAL;

...

next prev parent reply	other threads:[~2025-02-28 17:26 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-25  9:08 [Intel-wired-lan] [iwl-net v2 0/5] ice: fix validation issues in virtchnl parameters Martyna Szapar-Mudlaw
2025-02-25  9:08 ` Martyna Szapar-Mudlaw
2025-02-25  9:08 ` [Intel-wired-lan] [iwl-net v2 1/5] virtchnl: make proto and filter action count unsigned Martyna Szapar-Mudlaw
2025-02-25  9:08   ` Martyna Szapar-Mudlaw
2025-02-28 17:18   ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18     ` Simon Horman
2025-02-25  9:08 ` [Intel-wired-lan] [iwl-net v2 2/5] ice: stop truncating queue ids when checking Martyna Szapar-Mudlaw
2025-02-25  9:08   ` Martyna Szapar-Mudlaw
2025-02-28 17:18   ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18     ` Simon Horman
2025-02-25  9:08 ` [Intel-wired-lan] [iwl-net v2 3/5] ice: validate queue quanta parameters to prevent OOB access Martyna Szapar-Mudlaw
2025-02-25  9:08   ` Martyna Szapar-Mudlaw
2025-02-28 17:18   ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18     ` Simon Horman
2025-02-25  9:08 ` [Intel-wired-lan] [iwl-net v2 4/5] ice: fix input validation for virtchnl BW Martyna Szapar-Mudlaw
2025-02-25  9:08   ` Martyna Szapar-Mudlaw
2025-02-28 17:19   ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:19     ` Simon Horman
2025-02-25  9:08 ` [Intel-wired-lan] [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() Martyna Szapar-Mudlaw
2025-02-25  9:08   ` Martyna Szapar-Mudlaw
2025-02-25 10:34   ` [Intel-wired-lan] " Przemek Kitszel
2025-02-28 17:09   ` Simon Horman [this message]
2025-02-28 17:09     ` Simon Horman
2025-03-03 16:31     ` [Intel-wired-lan] " Szapar-Mudlaw, Martyna
2025-03-03 16:31       ` Szapar-Mudlaw, Martyna
2025-02-28 17:17   ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:17     ` Simon Horman
2025-03-03 10:00     ` [Intel-wired-lan] " Przemek Kitszel
2025-03-03 10:00       ` Przemek Kitszel
2025-03-03 16:32       ` [Intel-wired-lan] " Szapar-Mudlaw, Martyna
2025-03-03 16:32         ` Szapar-Mudlaw, Martyna
2025-03-05 11:18       ` [Intel-wired-lan] " Simon Horman
2025-03-05 11:18         ` Simon Horman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250228170939.GK1615191@kernel.org \
    --to=horms@kernel.org \
    --cc=intel-wired-lan@lists.osuosl.org \
    --cc=martyna.szapar-mudlaw@linux.intel.com \
    --cc=mateusz.polchlopek@intel.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.