diff mbox series

[net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()

Message ID Y4nMQuEtuVO+rlQy@kili (mailing list archive)
State Accepted
Commit e8b4fc13900b8e8be48debffd0dfd391772501f7
Delegated to: Netdev Maintainers
Headers show
Series [net] net: mvneta: Prevent out of bounds read in mvneta_config_rss() | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Dan Carpenter Dec. 2, 2022, 9:58 a.m. UTC 
The pp->indir[0] value comes from the user.  It is passed to:

	if (cpu_online(pp->rxq_def))

inside the mvneta_percpu_elect() function.  It needs bounds checkeding
to ensure that it is not beyond the end of the cpu bitmap.

Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
 drivers/net/ethernet/marvell/mvneta.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Leon Romanovsky Dec. 4, 2022, 12:47 p.m. UTC | #1 
On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> The pp->indir[0] value comes from the user.  It is passed to:
> 
> 	if (cpu_online(pp->rxq_def))
> 
> inside the mvneta_percpu_elect() function.  It needs bounds checkeding
> to ensure that it is not beyond the end of the cpu bitmap.
> 
> Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
>  drivers/net/ethernet/marvell/mvneta.c | 3 +++
>  1 file changed, 3 insertions(+)

I would expect that ethtool_copy_validate_indir() will prevent this.

Thanks

> 
> diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
> index c2cb98d24f5c..5abc7c3e399e 100644
> --- a/drivers/net/ethernet/marvell/mvneta.c
> +++ b/drivers/net/ethernet/marvell/mvneta.c
> @@ -4927,6 +4927,9 @@ static int  mvneta_config_rss(struct mvneta_port *pp)
>  		napi_disable(&pp->napi);
>  	}
>  
> +	if (pp->indir[0] >= nr_cpu_ids)
> +		return -EINVAL;
> +
>  	pp->rxq_def = pp->indir[0];
>  
>  	/* Update unicast mapping */
> -- 
> 2.35.1
>
Dan Carpenter Dec. 5, 2022, 9:03 a.m. UTC | #2 
On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > The pp->indir[0] value comes from the user.  It is passed to:
> > 
> > 	if (cpu_online(pp->rxq_def))
> > 
> > inside the mvneta_percpu_elect() function.  It needs bounds checkeding
> > to ensure that it is not beyond the end of the cpu bitmap.
> > 
> > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > ---
> >  drivers/net/ethernet/marvell/mvneta.c | 3 +++
> >  1 file changed, 3 insertions(+)
> 
> I would expect that ethtool_copy_validate_indir() will prevent this.
> 

Huh...  Sort of, but in the strictest sense, no.  mvneta_ethtool_get_rxnfc()
sets the cap at 8 by default or an unvalidated module parameter.

regards,
dan carpenter
patchwork-bot+netdevbpf@kernel.org Dec. 5, 2022, 11:50 a.m. UTC | #3 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Fri, 2 Dec 2022 12:58:26 +0300 you wrote:
> The pp->indir[0] value comes from the user.  It is passed to:
> 
> 	if (cpu_online(pp->rxq_def))
> 
> inside the mvneta_percpu_elect() function.  It needs bounds checkeding
> to ensure that it is not beyond the end of the cpu bitmap.
> 
> [...]

Here is the summary with links:
  - [net] net: mvneta: Prevent out of bounds read in mvneta_config_rss()
    https://git.kernel.org/netdev/net/c/e8b4fc13900b

You are awesome, thank you!
Leon Romanovsky Dec. 5, 2022, 5:44 p.m. UTC | #4 
On Mon, Dec 05, 2022 at 12:03:46PM +0300, Dan Carpenter wrote:
> On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> > On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > > The pp->indir[0] value comes from the user.  It is passed to:
> > > 
> > > 	if (cpu_online(pp->rxq_def))
> > > 
> > > inside the mvneta_percpu_elect() function.  It needs bounds checkeding
> > > to ensure that it is not beyond the end of the cpu bitmap.
> > > 
> > > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > > ---
> > >  drivers/net/ethernet/marvell/mvneta.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > 
> > I would expect that ethtool_copy_validate_indir() will prevent this.
> > 
> 
> Huh...  Sort of, but in the strictest sense, no.  mvneta_ethtool_get_rxnfc()
> sets the cap at 8 by default or an unvalidated module parameter.

And is this solely mvnet issue? Do other drivers safe for this input?

Thanks

> 
> regards,
> dan carpenter
>
Dan Carpenter Dec. 5, 2022, 6:42 p.m. UTC | #5 
On Mon, Dec 05, 2022 at 07:44:12PM +0200, Leon Romanovsky wrote:
> On Mon, Dec 05, 2022 at 12:03:46PM +0300, Dan Carpenter wrote:
> > On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> > > On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > > > The pp->indir[0] value comes from the user.  It is passed to:
> > > > 
> > > > 	if (cpu_online(pp->rxq_def))
> > > > 
> > > > inside the mvneta_percpu_elect() function.  It needs bounds checkeding
> > > > to ensure that it is not beyond the end of the cpu bitmap.
> > > > 
> > > > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > > > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > > > ---
> > > >  drivers/net/ethernet/marvell/mvneta.c | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > 
> > > I would expect that ethtool_copy_validate_indir() will prevent this.
> > > 
> > 
> > Huh...  Sort of, but in the strictest sense, no.  mvneta_ethtool_get_rxnfc()
> > sets the cap at 8 by default or an unvalidated module parameter.
> 
> And is this solely mvnet issue? Do other drivers safe for this input?
> 

I believe so, yes.  However thinking about it now maybe a better fix
would be to go back to the original way of using pp->rxq_def % nr_cpu_ids.
(Originally it used num_online_cpus() instead of nr_cpu_ids but I think
nr_cpu_ids is correct).  I will send this patch tomorrow.

In this code, if you hit the out of bounds then you kind of deserve it,
but there are probably a lot of people who probably have fewer than 8
cores and in that case the bug results in a WARN().

regards,
dan carpenter
diff mbox series

Patch

diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index c2cb98d24f5c..5abc7c3e399e 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -4927,6 +4927,9 @@  static int  mvneta_config_rss(struct mvneta_port *pp)
 		napi_disable(&pp->napi);
 	}
 
+	if (pp->indir[0] >= nr_cpu_ids)
+		return -EINVAL;
+
 	pp->rxq_def = pp->indir[0];
 
 	/* Update unicast mapping */