[PATCH][next] cxgb4/ch_ktls: Fix undefined behavior bug in struct chcr_ktls_ofld_ctx

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH][next] cxgb4/ch_ktls: Fix undefined behavior bug in struct chcr_ktls_ofld_ctx_tx
@ 2023-10-03 10:54 Gustavo A. R. Silva
  0 siblings, 0 replies; only message in thread
From: Gustavo A. R. Silva @ 2023-10-03 10:54 UTC (permalink / raw)
  To: Ayush Sawal, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Rohit Maheshwari
  Cc: netdev, linux-kernel, Gustavo A. R. Silva, linux-hardening

`struct tls_offload_context_tx` is a flexible structure, which means
that it contains a flexible-array member at the bottom. This could
potentially lead to an overwrite of the objects following `base` in
`struct chcr_ktls_ofld_ctx_tx` at run-time.

Notice that flexible-array member `driver_state` in `struct
tls_offload_context_tx` can grow up to 16 bytes at run-time:

| include/net/tls.h-170:
| #define TLS_DRIVER_STATE_SIZE_TX  16

| include/net/tls.h-173:
| #define TLS_OFFLOAD_CONTEXT_SIZE_TX                                     \
|	(sizeof(struct tls_offload_context_tx) + TLS_DRIVER_STATE_SIZE_TX)

| net/tls/tls_device.c-1119:
| offload_ctx = kzalloc(TLS_OFFLOAD_CONTEXT_SIZE_TX, GFP_KERNEL);

Fix this by placing the declaration of object `base` at the end of
`struct chcr_ktls_ofld_ctx_tx`.

Fixes: 34aba2c45024 ("cxgb4/chcr : Register to tls add and del callback")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.h b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.h
index 10572dc55365..35e34e3db663 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.h
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.h
@@ -68,8 +68,8 @@ struct chcr_ktls_info {
 };
 
 struct chcr_ktls_ofld_ctx_tx {
-	struct tls_offload_context_tx base;
 	struct chcr_ktls_info *chcr_info;
+	struct tls_offload_context_tx base;
 };
 
 struct chcr_ktls_uld_ctx {
-- 
2.34.1


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2023-10-03 10:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-03 10:54 [PATCH][next] cxgb4/ch_ktls: Fix undefined behavior bug in struct chcr_ktls_ofld_ctx_tx Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.