From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59189)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jiri@resnulli.us>) id 1aBN7f-0002ux-U9
	for qemu-devel@nongnu.org; Tue, 22 Dec 2015 08:37:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jiri@resnulli.us>) id 1aBN7b-0007SB-C6
	for qemu-devel@nongnu.org; Tue, 22 Dec 2015 08:37:03 -0500
Received: from mail-wm0-x236.google.com ([2a00:1450:400c:c09::236]:34893)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jiri@resnulli.us>) id 1aBN7b-0007R5-3a
	for qemu-devel@nongnu.org; Tue, 22 Dec 2015 08:36:59 -0500
Received: by mail-wm0-x236.google.com with SMTP id l126so110577621wml.0
	for <qemu-devel@nongnu.org>; Tue, 22 Dec 2015 05:36:58 -0800 (PST)
Date: Tue, 22 Dec 2015 14:36:56 +0100
From: Jiri Pirko <jiri@resnulli.us>
Message-ID: <20151222133656.GA5330@nanopsycho.orion>
References: <alpine.LFD.2.20.1512221830330.5001@wniryva>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.20.1512221830330.5001@wniryva>
Subject: Re: [Qemu-devel] [PATCH] net: rocker: fix an incorrect array bounds
	check
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>
Cc: Qinghao Tang <luodalongde@gmail.com>, Scott Feldman <sfeldma@gmail.com>, qemu-devel@nongnu.org

Tue, Dec 22, 2015 at 02:07:01PM CET, ppandit@redhat.com wrote:
>  Hello Scott, Jiri
>
>A stack overflow issue was reported by Mr Qinghao Tang, CC'd here. It occurs
>while processing transmit(tx) descriptors in tx_consume() routine. If a
>descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) packet
>fragments, the processing loop suffers an off-by-one error. Thus leading to
>OOB memory access and leakage of host memory.
>
>Please see below a proposed patch to fix this issue. Does it look okay?
>
>===
>>From f3461d8098a0572786f5a2d7a492863090c73134 Mon Sep 17 00:00:00 2001
>From: Prasad J Pandit <pjp@fedoraproject.org>
>Date: Tue, 22 Dec 2015 18:21:00 +0530
>Subject: [PATCH] net: rocker: fix an incorrect array bounds check
>
>While processing transmit(tx) descriptors in 'tx_consume' routine
>the switch emulator suffers from an off-by-one error, if a
>descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX)
>fragments. Fix an incorrect bounds check to avoid it.
>
>Reported-by: Qinghao Tang <luodalongde@gmail.com>
>Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Reviewed-by: Jiri Pirko <jiri@mellanox.com>