* [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
@ 2022-12-02 9:58 Dan Carpenter
2022-12-04 12:47 ` Leon Romanovsky
2022-12-05 11:50 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 6+ messages in thread
From: Dan Carpenter @ 2022-12-02 9:58 UTC (permalink / raw)
To: Thomas Petazzoni, Gregory CLEMENT
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
netdev, kernel-janitors
The pp->indir[0] value comes from the user. It is passed to:
if (cpu_online(pp->rxq_def))
inside the mvneta_percpu_elect() function. It needs bounds checkeding
to ensure that it is not beyond the end of the cpu bitmap.
Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
drivers/net/ethernet/marvell/mvneta.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index c2cb98d24f5c..5abc7c3e399e 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -4927,6 +4927,9 @@ static int mvneta_config_rss(struct mvneta_port *pp)
napi_disable(&pp->napi);
}
+ if (pp->indir[0] >= nr_cpu_ids)
+ return -EINVAL;
+
pp->rxq_def = pp->indir[0];
/* Update unicast mapping */
--
2.35.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
2022-12-02 9:58 [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss() Dan Carpenter
@ 2022-12-04 12:47 ` Leon Romanovsky
2022-12-05 9:03 ` Dan Carpenter
2022-12-05 11:50 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 6+ messages in thread
From: Leon Romanovsky @ 2022-12-04 12:47 UTC (permalink / raw)
To: Dan Carpenter
Cc: Thomas Petazzoni, Gregory CLEMENT, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, kernel-janitors
On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> The pp->indir[0] value comes from the user. It is passed to:
>
> if (cpu_online(pp->rxq_def))
>
> inside the mvneta_percpu_elect() function. It needs bounds checkeding
> to ensure that it is not beyond the end of the cpu bitmap.
>
> Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> drivers/net/ethernet/marvell/mvneta.c | 3 +++
> 1 file changed, 3 insertions(+)
I would expect that ethtool_copy_validate_indir() will prevent this.
Thanks
>
> diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
> index c2cb98d24f5c..5abc7c3e399e 100644
> --- a/drivers/net/ethernet/marvell/mvneta.c
> +++ b/drivers/net/ethernet/marvell/mvneta.c
> @@ -4927,6 +4927,9 @@ static int mvneta_config_rss(struct mvneta_port *pp)
> napi_disable(&pp->napi);
> }
>
> + if (pp->indir[0] >= nr_cpu_ids)
> + return -EINVAL;
> +
> pp->rxq_def = pp->indir[0];
>
> /* Update unicast mapping */
> --
> 2.35.1
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
2022-12-04 12:47 ` Leon Romanovsky
@ 2022-12-05 9:03 ` Dan Carpenter
2022-12-05 17:44 ` Leon Romanovsky
0 siblings, 1 reply; 6+ messages in thread
From: Dan Carpenter @ 2022-12-05 9:03 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Thomas Petazzoni, Gregory CLEMENT, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, kernel-janitors
On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > The pp->indir[0] value comes from the user. It is passed to:
> >
> > if (cpu_online(pp->rxq_def))
> >
> > inside the mvneta_percpu_elect() function. It needs bounds checkeding
> > to ensure that it is not beyond the end of the cpu bitmap.
> >
> > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > ---
> > drivers/net/ethernet/marvell/mvneta.c | 3 +++
> > 1 file changed, 3 insertions(+)
>
> I would expect that ethtool_copy_validate_indir() will prevent this.
>
Huh... Sort of, but in the strictest sense, no. mvneta_ethtool_get_rxnfc()
sets the cap at 8 by default or an unvalidated module parameter.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
2022-12-02 9:58 [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss() Dan Carpenter
2022-12-04 12:47 ` Leon Romanovsky
@ 2022-12-05 11:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-12-05 11:50 UTC (permalink / raw)
To: Dan Carpenter
Cc: thomas.petazzoni, gregory.clement, davem, edumazet, kuba, pabeni,
netdev, kernel-janitors
Hello:
This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:
On Fri, 2 Dec 2022 12:58:26 +0300 you wrote:
> The pp->indir[0] value comes from the user. It is passed to:
>
> if (cpu_online(pp->rxq_def))
>
> inside the mvneta_percpu_elect() function. It needs bounds checkeding
> to ensure that it is not beyond the end of the cpu bitmap.
>
> [...]
Here is the summary with links:
- [net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
https://git.kernel.org/netdev/net/c/e8b4fc13900b
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
2022-12-05 9:03 ` Dan Carpenter
@ 2022-12-05 17:44 ` Leon Romanovsky
2022-12-05 18:42 ` Dan Carpenter
0 siblings, 1 reply; 6+ messages in thread
From: Leon Romanovsky @ 2022-12-05 17:44 UTC (permalink / raw)
To: Dan Carpenter
Cc: Thomas Petazzoni, Gregory CLEMENT, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, kernel-janitors
On Mon, Dec 05, 2022 at 12:03:46PM +0300, Dan Carpenter wrote:
> On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> > On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > > The pp->indir[0] value comes from the user. It is passed to:
> > >
> > > if (cpu_online(pp->rxq_def))
> > >
> > > inside the mvneta_percpu_elect() function. It needs bounds checkeding
> > > to ensure that it is not beyond the end of the cpu bitmap.
> > >
> > > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > > ---
> > > drivers/net/ethernet/marvell/mvneta.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> >
> > I would expect that ethtool_copy_validate_indir() will prevent this.
> >
>
> Huh... Sort of, but in the strictest sense, no. mvneta_ethtool_get_rxnfc()
> sets the cap at 8 by default or an unvalidated module parameter.
And is this solely mvnet issue? Do other drivers safe for this input?
Thanks
>
> regards,
> dan carpenter
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
2022-12-05 17:44 ` Leon Romanovsky
@ 2022-12-05 18:42 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2022-12-05 18:42 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Thomas Petazzoni, Gregory CLEMENT, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, kernel-janitors
On Mon, Dec 05, 2022 at 07:44:12PM +0200, Leon Romanovsky wrote:
> On Mon, Dec 05, 2022 at 12:03:46PM +0300, Dan Carpenter wrote:
> > On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> > > On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > > > The pp->indir[0] value comes from the user. It is passed to:
> > > >
> > > > if (cpu_online(pp->rxq_def))
> > > >
> > > > inside the mvneta_percpu_elect() function. It needs bounds checkeding
> > > > to ensure that it is not beyond the end of the cpu bitmap.
> > > >
> > > > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > > > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > > > ---
> > > > drivers/net/ethernet/marvell/mvneta.c | 3 +++
> > > > 1 file changed, 3 insertions(+)
> > >
> > > I would expect that ethtool_copy_validate_indir() will prevent this.
> > >
> >
> > Huh... Sort of, but in the strictest sense, no. mvneta_ethtool_get_rxnfc()
> > sets the cap at 8 by default or an unvalidated module parameter.
>
> And is this solely mvnet issue? Do other drivers safe for this input?
>
I believe so, yes. However thinking about it now maybe a better fix
would be to go back to the original way of using pp->rxq_def % nr_cpu_ids.
(Originally it used num_online_cpus() instead of nr_cpu_ids but I think
nr_cpu_ids is correct). I will send this patch tomorrow.
In this code, if you hit the out of bounds then you kind of deserve it,
but there are probably a lot of people who probably have fewer than 8
cores and in that case the bug results in a WARN().
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-12-05 18:43 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-02 9:58 [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss() Dan Carpenter
2022-12-04 12:47 ` Leon Romanovsky
2022-12-05 9:03 ` Dan Carpenter
2022-12-05 17:44 ` Leon Romanovsky
2022-12-05 18:42 ` Dan Carpenter
2022-12-05 11:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).