[PATCH net 6/9] ethtool: cmis: require exact CDB reply length

Netdev List
 help / color / mirror / Atom feed

From: Jakub Kicinski <kuba@kernel.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com,
	andrew+netdev@lunn.ch, horms@kernel.org,
	maxime.chevallier@bootlin.com, danieller@nvidia.com,
	petrm@nvidia.com, o.rempel@pengutronix.de, idosch@nvidia.com,
	Jakub Kicinski <kuba@kernel.org>,
	andrew@lunn.ch, kees@kernel.org
Subject: [PATCH net 6/9] ethtool: cmis: require exact CDB reply length
Date: Fri, 22 May 2026 16:13:09 -0700	[thread overview]
Message-ID: <20260522231312.1710836-7-kuba@kernel.org> (raw)
In-Reply-To: <20260522231312.1710836-1-kuba@kernel.org>

Malicious SFP module could respond with rpl_len longer than
what cmis_cdb_process_reply() expected, leading to OOB writes.
Malicious HW is a bit theoretical but some modules may just
be buggy and/or the reads may occasionally get corrupted,
so let's protect the kernel.

The existing check protects from short replies. We need to
protect from long ones, too. All callers that pass a non-zero
rpl_exp_len cast the reply payload to a fixed-layout struct
and read fields at fixed offsets, with no version negotiation
or short-reply handling:

  - cmis_cdb_validate_password()
  - cmis_cdb_module_features_get()
  - cmis_fw_update_fw_mng_features_get()

so let's assume that responses longer than expected do not
have to be handled gracefully here. Add a warning message
to make the debug easier in case my understanding is wrong...

Note that page_data->length (argument of kmalloc) comes from
last arg to ethtool_cmis_page_init() which is rpl_exp_len.

Note2 that AIs also like to point out overflows in args->req.payload
itself (which is a fixed-size 120 B buffer, on the stack),
but callers should be reading structs defined by the standard,
so protecting from requests for more data than max seem like
defensive programming.

Fixes: a39c84d79625 ("ethtool: cmis_cdb: Add a layer for supporting CDB commands")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
CC: andrew@lunn.ch
CC: kees@kernel.org
CC: danieller@nvidia.com
CC: petrm@nvidia.com
---
 net/ethtool/cmis_cdb.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index 3670ca42dd40..f3a53a984460 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c
@@ -513,8 +513,13 @@ static int cmis_cdb_process_reply(struct net_device *dev,
 	}

 	rpl = (struct ethtool_cmis_cdb_rpl *)page_data->data;
-	if ((args->rpl_exp_len > rpl->hdr.rpl_len + rpl_hdr_len) ||
-	    !rpl->hdr.rpl_chk_code) {
+	if (rpl->hdr.rpl_len != args->rpl_exp_len) {
+		netdev_warn(dev, "CDB reply length mismatch, expected %u got %u\n",
+			    args->rpl_exp_len, rpl->hdr.rpl_len);
+		err = -EIO;
+		goto out;
+	}
+	if (!rpl->hdr.rpl_chk_code) {
 		err = -EIO;
 		goto out;
 	}
-- 
2.54.0

next prev parent reply	other threads:[~2026-05-22 23:13 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-22 23:13 [PATCH net 0/9] ethtool: module: fix a handful of small bugs Jakub Kicinski
2026-05-22 23:13 ` [PATCH net 1/9] ethtool: module: call ethnl_ops_complete() on module flash errors Jakub Kicinski
2026-05-23 14:28   ` Maxime Chevallier
2026-05-22 23:13 ` [PATCH net 2/9] ethtool: module: avoid leaking a netdev ref " Jakub Kicinski
2026-05-23 14:32   ` Maxime Chevallier
2026-05-22 23:13 ` [PATCH net 3/9] ethtool: module: avoid racy updates to dev->ethtool bitfield Jakub Kicinski
2026-05-23 14:38   ` Maxime Chevallier
2026-05-22 23:13 ` [PATCH net 4/9] ethtool: module: check fw_flash_in_progress under rtnl_lock Jakub Kicinski
2026-05-23 14:40   ` Maxime Chevallier
2026-05-22 23:13 ` [PATCH net 5/9] ethtool: module: fix cleanup if socket used for flashing multiple devices Jakub Kicinski
2026-05-22 23:13 ` Jakub Kicinski [this message]
2026-05-22 23:13 ` [PATCH net 7/9] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl Jakub Kicinski
2026-05-23 14:53   ` Maxime Chevallier
2026-05-22 23:13 ` [PATCH net 8/9] ethtool: cmis: validate start_cmd_payload_size from module Jakub Kicinski
2026-05-23 14:56   ` Maxime Chevallier
2026-05-22 23:13 ` [PATCH net 9/9] ethtool: cmis: validate fw->size against start_cmd_payload_size Jakub Kicinski
2026-05-23 14:59   ` Maxime Chevallier

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3670ca42dd4 dfblob:f3a53a98446 )
 OR (
bs:"[PATCH net 6/9] ethtool: cmis: require exact CDB reply length" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260522231312.1710836-7-kuba@kernel.org \
    --to=kuba@kernel.org \
    --cc=andrew+netdev@lunn.ch \
    --cc=andrew@lunn.ch \
    --cc=danieller@nvidia.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=idosch@nvidia.com \
    --cc=kees@kernel.org \
    --cc=maxime.chevallier@bootlin.com \
    --cc=netdev@vger.kernel.org \
    --cc=o.rempel@pengutronix.de \
    --cc=pabeni@redhat.com \
    --cc=petrm@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox