From: "Szapar-Mudlaw, Martyna" <martyna.szapar-mudlaw@linux.intel.com>
To: Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Simon Horman <horms@kernel.org>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Subject: Re: [Intel-wired-lan] [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()
Date: Mon, 3 Mar 2025 17:32:32 +0100 [thread overview]
Message-ID: <e3fa9d6b-abb7-4b35-8467-7fae4581a981@linux.intel.com> (raw)
In-Reply-To: <68c841b7-fb5b-4c52-bd55-b98c80ad8667@intel.com>
On 3/3/2025 11:00 AM, Przemek Kitszel wrote:
> On 2/28/25 18:17, Simon Horman wrote:
>> On Tue, Feb 25, 2025 at 10:08:49AM +0100, Martyna Szapar-Mudlaw wrote:
>>> From: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>>>
>>> Fix using the untrusted value of proto->raw.pkt_len in function
>>> ice_vc_fdir_parse_raw() by verifying if it does not exceed the
>>> VIRTCHNL_MAX_SIZE_RAW_PACKET value.
>>>
>>> Fixes: 99f419df8a5c ("ice: enable FDIR filters from raw binary
>>> patterns for VFs")
>>> Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>>> Signed-off-by: Martyna Szapar-Mudlaw <martyna.szapar-
>>> mudlaw@linux.intel.com>
>>> ---
>>> .../ethernet/intel/ice/ice_virtchnl_fdir.c | 25 +++++++++++++------
>>> 1 file changed, 17 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/
>>> drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>>> index 14e3f0f89c78..6250629ee8f9 100644
>>> --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>>> +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>>> @@ -835,18 +835,27 @@ ice_vc_fdir_parse_raw(struct ice_vf *vf,
>>> u8 *pkt_buf, *msk_buf __free(kfree);
>>> struct ice_parser_result rslt;
>>> struct ice_pf *pf = vf->pf;
>>> + u16 pkt_len, udp_port = 0;
>>> struct ice_parser *psr;
>>> int status = -ENOMEM;
>>> struct ice_hw *hw;
>>> - u16 udp_port = 0;
>>> - pkt_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>>> - msk_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>>> + if (!proto->raw.pkt_len)
>>> + return -EINVAL;
>>
>> Hi Martyna,
>>
>> It seems to me that the use of __free() above will result in
>> kfree(msk_buf) being called here. But msk_buf is not initialised at this
>> point.
>>
>> My suggest would be to drop the use of __free().
>> But if not, I think that in order to be safe it would be best to do this
>> (completely untested;
>>
>> u8 *pkt_buf, *msk_buf __free(kfree) = NULL;
>
> Oh yeah!, thank you Simon for catching that.
>
> I would say "naked __free()" was harmful here.
>
Thank you for suggestions, will send fixed v3
WARNING: multiple messages have this Message-ID (diff)
From: "Szapar-Mudlaw, Martyna" <martyna.szapar-mudlaw@linux.intel.com>
To: Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Simon Horman <horms@kernel.org>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Subject: Re: [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()
Date: Mon, 3 Mar 2025 17:32:32 +0100 [thread overview]
Message-ID: <e3fa9d6b-abb7-4b35-8467-7fae4581a981@linux.intel.com> (raw)
In-Reply-To: <68c841b7-fb5b-4c52-bd55-b98c80ad8667@intel.com>
On 3/3/2025 11:00 AM, Przemek Kitszel wrote:
> On 2/28/25 18:17, Simon Horman wrote:
>> On Tue, Feb 25, 2025 at 10:08:49AM +0100, Martyna Szapar-Mudlaw wrote:
>>> From: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>>>
>>> Fix using the untrusted value of proto->raw.pkt_len in function
>>> ice_vc_fdir_parse_raw() by verifying if it does not exceed the
>>> VIRTCHNL_MAX_SIZE_RAW_PACKET value.
>>>
>>> Fixes: 99f419df8a5c ("ice: enable FDIR filters from raw binary
>>> patterns for VFs")
>>> Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
>>> Signed-off-by: Martyna Szapar-Mudlaw <martyna.szapar-
>>> mudlaw@linux.intel.com>
>>> ---
>>> .../ethernet/intel/ice/ice_virtchnl_fdir.c | 25 +++++++++++++------
>>> 1 file changed, 17 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c b/
>>> drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>>> index 14e3f0f89c78..6250629ee8f9 100644
>>> --- a/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>>> +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c
>>> @@ -835,18 +835,27 @@ ice_vc_fdir_parse_raw(struct ice_vf *vf,
>>> u8 *pkt_buf, *msk_buf __free(kfree);
>>> struct ice_parser_result rslt;
>>> struct ice_pf *pf = vf->pf;
>>> + u16 pkt_len, udp_port = 0;
>>> struct ice_parser *psr;
>>> int status = -ENOMEM;
>>> struct ice_hw *hw;
>>> - u16 udp_port = 0;
>>> - pkt_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>>> - msk_buf = kzalloc(proto->raw.pkt_len, GFP_KERNEL);
>>> + if (!proto->raw.pkt_len)
>>> + return -EINVAL;
>>
>> Hi Martyna,
>>
>> It seems to me that the use of __free() above will result in
>> kfree(msk_buf) being called here. But msk_buf is not initialised at this
>> point.
>>
>> My suggest would be to drop the use of __free().
>> But if not, I think that in order to be safe it would be best to do this
>> (completely untested;
>>
>> u8 *pkt_buf, *msk_buf __free(kfree) = NULL;
>
> Oh yeah!, thank you Simon for catching that.
>
> I would say "naked __free()" was harmful here.
>
Thank you for suggestions, will send fixed v3
next prev parent reply other threads:[~2025-03-03 16:32 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-25 9:08 [Intel-wired-lan] [iwl-net v2 0/5] ice: fix validation issues in virtchnl parameters Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 1/5] virtchnl: make proto and filter action count unsigned Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:18 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 2/5] ice: stop truncating queue ids when checking Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:18 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 3/5] ice: validate queue quanta parameters to prevent OOB access Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:18 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:18 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 4/5] ice: fix input validation for virtchnl BW Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-28 17:19 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:19 ` Simon Horman
2025-02-25 9:08 ` [Intel-wired-lan] [iwl-net v2 5/5] ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() Martyna Szapar-Mudlaw
2025-02-25 9:08 ` Martyna Szapar-Mudlaw
2025-02-25 10:34 ` [Intel-wired-lan] " Przemek Kitszel
2025-02-28 17:09 ` Simon Horman
2025-02-28 17:09 ` Simon Horman
2025-03-03 16:31 ` [Intel-wired-lan] " Szapar-Mudlaw, Martyna
2025-03-03 16:31 ` Szapar-Mudlaw, Martyna
2025-02-28 17:17 ` [Intel-wired-lan] " Simon Horman
2025-02-28 17:17 ` Simon Horman
2025-03-03 10:00 ` [Intel-wired-lan] " Przemek Kitszel
2025-03-03 10:00 ` Przemek Kitszel
2025-03-03 16:32 ` Szapar-Mudlaw, Martyna [this message]
2025-03-03 16:32 ` Szapar-Mudlaw, Martyna
2025-03-05 11:18 ` [Intel-wired-lan] " Simon Horman
2025-03-05 11:18 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3fa9d6b-abb7-4b35-8467-7fae4581a981@linux.intel.com \
--to=martyna.szapar-mudlaw@linux.intel.com \
--cc=horms@kernel.org \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=mateusz.polchlopek@intel.com \
--cc=netdev@vger.kernel.org \
--cc=przemyslaw.kitszel@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.