| Message ID | 20220510022826.2388423-1-grundler@chromium.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | net: atlantic: more fuzzing fixes | expand |
Hello: This series was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Mon, 9 May 2022 19:28:22 -0700 you wrote: > The Chrome OS fuzzing team posted a "Fuzzing" report for atlantic driver > in Q4 2021 using Chrome OS v5.4 kernel and "Cable Matters > Thunderbolt 3 to 10 Gb Ethernet" (b0 version): > https://docs.google.com/document/d/e/2PACX-1vT4oCGNhhy_AuUqpu6NGnW0N9HF_jxf2kS7raOpOlNRqJNiTHAtjiHRthXYSeXIRTgfeVvsEt0qK9qK/pub > > It essentially describes four problems: > 1) validate rxd_wb->next_desc_ptr before populating buff->next > 2) "frag[0] not initialized" case in aq_ring_rx_clean() > 3) limit iterations handling fragments in aq_ring_rx_clean() > 4) validate hw_head_ in hw_atl_b0_hw_ring_tx_head_update() > > [...] Here is the summary with links: - [1/4] net: atlantic: fix "frag[0] not initialized" https://git.kernel.org/netdev/net/c/62e0ae0f4020 - [2/4] net: atlantic: reduce scope of is_rsc_complete https://git.kernel.org/netdev/net/c/79784d77ebbd - [3/4] net: atlantic: add check for MAX_SKB_FRAGS https://git.kernel.org/netdev/net/c/6aecbba12b5c - [4/4] net: atlantic: verify hw_head_ lies within TX buffer ring https://git.kernel.org/netdev/net/c/2120b7f4d128 You are awesome, thank you!
The Chrome OS fuzzing team posted a "Fuzzing" report for atlantic driver in Q4 2021 using Chrome OS v5.4 kernel and "Cable Matters Thunderbolt 3 to 10 Gb Ethernet" (b0 version): https://docs.google.com/document/d/e/2PACX-1vT4oCGNhhy_AuUqpu6NGnW0N9HF_jxf2kS7raOpOlNRqJNiTHAtjiHRthXYSeXIRTgfeVvsEt0qK9qK/pub It essentially describes four problems: 1) validate rxd_wb->next_desc_ptr before populating buff->next 2) "frag[0] not initialized" case in aq_ring_rx_clean() 3) limit iterations handling fragments in aq_ring_rx_clean() 4) validate hw_head_ in hw_atl_b0_hw_ring_tx_head_update() (1) was fixed by Zekun Shen <bruceshenzk@gmail.com> around the same time with "atlantic: Fix buff_ring OOB in aq_ring_rx_clean" (SHA1 5f50153288452e10). I've added one "clean up" contribution: "net: atlantic: reduce scope of is_rsc_complete" I tested the "original" patches using chromeos-v5.4 kernel branch: https://chromium-review.googlesource.com/q/hashtag:pcinet-atlantic-2022q1+(status:open%20OR%20status:merged) I've forward ported those patches to 5.18-rc2 and compiled them but am unable to test them on 5.18-rc2 kernel (logistics problems). Credit largely goes to ChromeOS Fuzzing team members: Aashay Shringarpure, Yi Chou, Shervin Oloumi V2 changes: o drop first patch - was already fixed upstream differently o reduce (4) "validate hw_head_" to simple bounds checking. drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 17 ++++++++++------- .../net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 6 ++++++ 2 files changed, 16 insertions(+), 7 deletions(-) cheers, grant