From: "Szapar-Mudlaw, Martyna" <martyna.szapar-mudlaw@linux.intel.com>
To: Simon Horman <horms@kernel.org>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Subject: Re: [Intel-wired-lan] [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()
Date: Mon, 3 Mar 2025 17:31:44 +0100 [thread overview]
Message-ID: <4cf2a594-b45c-4527-8d90-cc574d35747a@linux.intel.com> (raw)
In-Reply-To: <20250228170939.GK1615191@kernel.org>
On 2/28/2025 6:09 PM, Simon Horman wrote:
> On Tue, Feb 25, 2025 at 10:08:49AM +0100, Martyna Szapar-Mudlaw wrote:
>> From: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>>
>> Fix using the untrusted value of proto->raw.pkt_len in function
>> ice_vc_fdir_parse_raw() by verifying if it does not exceed the
>> VIRTCHNL_MAX_SIZE_RAW_PACKET value.
>>
>> Fixes: 99f419df8a5c ("ice: enable FDIR filters from raw binary patterns for VFs")
>> Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>> Signed-off-by: Martyna Szapar-Mudlaw <martyna.szapar-mudlaw@linux.intel.com>
>> ---
>> .../ethernet/intel/ice/ice_virtchnl_fdir.c | 25 +++++++++++++------
>> 1 file changed, 17 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>> index 14e3f0f89c78..6250629ee8f9 100644
>> --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>> +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>> @@ -835,18 +835,27 @@ ice_vc_fdir_parse_raw(struct ice_vf *vf,
>> u8 *pkt_buf, *msk_buf __free(kfree);
>> struct ice_parser_result rslt;
>> struct ice_pf *pf = vf->pf;
>> + u16 pkt_len, udp_port = 0;
>> struct ice_parser *psr;
>> int status = -ENOMEM;
>> struct ice_hw *hw;
>> - u16 udp_port = 0;
>>
>> - pkt_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>> - msk_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>> + if (!proto->raw.pkt_len)
>> + return -EINVAL;
>> +
>> + pkt_len = proto->raw.pkt_len;
>
> Hi Martyna,
>
> A check is made for !proto->raw.pkt_len above.
> And a check is made for !pkt_len below.
>
> This seems redundant.
Right, thank you for spotting it, will fix
>
>> +
>> + if (!pkt_len || pkt_len > VIRTCHNL_MAX_SIZE_RAW_PACKET)
>> + return -EINVAL;
>
> ...
WARNING: multiple messages have this Message-ID (diff)
From: "Szapar-Mudlaw, Martyna" <martyna.szapar-mudlaw@linux.intel.com>
To: Simon Horman <horms@kernel.org>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Subject: Re: [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()
Date: Mon, 3 Mar 2025 17:31:44 +0100 [thread overview]
Message-ID: <4cf2a594-b45c-4527-8d90-cc574d35747a@linux.intel.com> (raw)
In-Reply-To: <20250228170939.GK1615191@kernel.org>
On 2/28/2025 6:09 PM, Simon Horman wrote:
> On Tue, Feb 25, 2025 at 10:08:49AM +0100, Martyna Szapar-Mudlaw wrote:
>> From: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>>
>> Fix using the untrusted value of proto->raw.pkt_len in function
>> ice_vc_fdir_parse_raw() by verifying if it does not exceed the
>> VIRTCHNL_MAX_SIZE_RAW_PACKET value.
>>
>> Fixes: 99f419df8a5c ("ice: enable FDIR filters from raw binary patterns for VFs")
>> Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>> Signed-off-by: Martyna Szapar-Mudlaw <martyna.szapar-mudlaw@linux.intel.com>
>> ---
>> .../ethernet/intel/ice/ice_virtchnl_fdir.c | 25 +++++++++++++------
>> 1 file changed, 17 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>> index 14e3f0f89c78..6250629ee8f9 100644
>> --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>> +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>> @@ -835,18 +835,27 @@ ice_vc_fdir_parse_raw(struct ice_vf *vf,
>> u8 *pkt_buf, *msk_buf __free(kfree);
>> struct ice_parser_result rslt;
>> struct ice_pf *pf = vf->pf;
>> + u16 pkt_len, udp_port = 0;
>> struct ice_parser *psr;
>> int status = -ENOMEM;
>> struct ice_hw *hw;
>> - u16 udp_port = 0;
>>
>> - pkt_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>> - msk_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>> + if (!proto->raw.pkt_len)
>> + return -EINVAL;
>> +
>> + pkt_len = proto->raw.pkt_len;
>
> Hi Martyna,
>
> A check is made for !proto->raw.pkt_len above.
> And a check is made for !pkt_len below.
>
> This seems redundant.
Right, thank you for spotting it, will fix
>
>> +
>> + if (!pkt_len || pkt_len > VIRTCHNL_MAX_SIZE_RAW_PACKET)
>> + return -EINVAL;
>
> ...
next prev parent reply other threads:[~2025-03-03 16:31 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-25 9:08 [Intel-wired-lan] [iwl-net v2 0/5] ice: fix validation issues in virtchnl parameters Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 1/5] virtchnl: make proto and filter action count unsigned Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:18 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 2/5] ice: stop truncating queue ids when checking Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:18 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 3/5] ice: validate queue quanta parameters to prevent OOB access Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:18 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 4/5] ice: fix input validation for virtchnl BW Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:19 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:19 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-25 10:34 ` [Intel-wired-lan] " Przemek Kitszel
2025-02-28 17:09 ` Simon Horman
2025-02-28 17:09 ` Simon Horman
2025-03-03 16:31 ` Szapar-Mudlaw, Martyna [this message]
2025-03-03 16:31 ` Szapar-Mudlaw, Martyna
2025-02-28 17:17 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:17 ` Simon Horman
2025-03-03 10:00 ` [Intel-wired-lan] " Przemek Kitszel
2025-03-03 10:00 ` Przemek Kitszel
2025-03-03 16:32 ` [Intel-wired-lan] " Szapar-Mudlaw, Martyna
2025-03-03 16:32 ` Szapar-Mudlaw, Martyna
2025-03-05 11:18 ` [Intel-wired-lan] " Simon Horman
2025-03-05 11:18 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cf2a594-b45c-4527-8d90-cc574d35747a@linux.intel.com \
--to=martyna.szapar-mudlaw@linux.intel.com \
--cc=horms@kernel.org \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=mateusz.polchlopek@intel.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.