From: Dan Carpenter <error27@gmail.com>
To: Leon Romanovsky <leon@kernel.org>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Gregory CLEMENT <gregory.clement@bootlin.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
Date: Mon, 5 Dec 2022 21:42:50 +0300 [thread overview]
Message-ID: <Y447qgHPpSMAdQLG@kadam> (raw)
In-Reply-To: <Y44t7OczM/wrbowu@unreal>
On Mon, Dec 05, 2022 at 07:44:12PM +0200, Leon Romanovsky wrote:
> On Mon, Dec 05, 2022 at 12:03:46PM +0300, Dan Carpenter wrote:
> > On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> > > On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > > > The pp->indir[0] value comes from the user. It is passed to:
> > > >
> > > > if (cpu_online(pp->rxq_def))
> > > >
> > > > inside the mvneta_percpu_elect() function. It needs bounds checkeding
> > > > to ensure that it is not beyond the end of the cpu bitmap.
> > > >
> > > > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > > > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > > > ---
> > > > drivers/net/ethernet/marvell/mvneta.c | 3 +++
> > > > 1 file changed, 3 insertions(+)
> > >
> > > I would expect that ethtool_copy_validate_indir() will prevent this.
> > >
> >
> > Huh... Sort of, but in the strictest sense, no. mvneta_ethtool_get_rxnfc()
> > sets the cap at 8 by default or an unvalidated module parameter.
>
> And is this solely mvnet issue? Do other drivers safe for this input?
>
I believe so, yes. However thinking about it now maybe a better fix
would be to go back to the original way of using pp->rxq_def % nr_cpu_ids.
(Originally it used num_online_cpus() instead of nr_cpu_ids but I think
nr_cpu_ids is correct). I will send this patch tomorrow.
In this code, if you hit the out of bounds then you kind of deserve it,
but there are probably a lot of people who probably have fewer than 8
cores and in that case the bug results in a WARN().
regards,
dan carpenter
next prev parent reply other threads:[~2022-12-05 18:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-02 9:58 [PATCH net] net: mvneta: Prevent out of bounds read in mvneta_config_rss() Dan Carpenter
2022-12-04 12:47 ` Leon Romanovsky
2022-12-05 9:03 ` Dan Carpenter
2022-12-05 17:44 ` Leon Romanovsky
2022-12-05 18:42 ` Dan Carpenter [this message]
2022-12-05 11:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y447qgHPpSMAdQLG@kadam \
--to=error27@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gregory.clement@bootlin.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).