diff mbox series

Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr

Message ID DB3PR10MB6835E073F668AD24F57AE64AE8A5A@DB3PR10MB6835.EURPRD10.PROD.OUTLOOK.COM (mailing list archive)
State Rejected
Delegated to: Netdev Maintainers
Headers show
Series Prevent out-of-bounds read/write in bcmasp_netfilt_rd and bcmasp_netfilt_wr | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1350 this patch: 1350
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 1378 this patch: 1378
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1378 this patch: 1378
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Yuran Pereira Nov. 3, 2023, 12:27 p.m. UTC 
The functions `bcmasp_netfilt_rd` and `bcmasp_netfilt_wr` both call
`bcmasp_netfilt_get_reg_offset` which, when it fails, returns `-EINVAL`.
This could lead to an out-of-bounds read or write when `rx_filter_core_rl`
or `rx_filter_core_wl` is called.

This patch adds a check in both functions to return immediately if
`bcmasp_netfilt_get_reg_offset` fails. This prevents potential out-of-bounds read
or writes, and ensures that no undefined or buggy behavior would originate from
the failure of `bcmasp_netfilt_get_reg_offset`.

Addresses-Coverity-IDs: 1544536 ("Out-of-bounds access")
Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
---
 drivers/net/ethernet/broadcom/asp2/bcmasp.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Greg KH Nov. 3, 2023, 12:57 p.m. UTC | #1 
On Fri, Nov 03, 2023 at 05:57:48PM +0530, Yuran Pereira wrote:
> The functions `bcmasp_netfilt_rd` and `bcmasp_netfilt_wr` both call
> `bcmasp_netfilt_get_reg_offset` which, when it fails, returns `-EINVAL`.
> This could lead to an out-of-bounds read or write when `rx_filter_core_rl`
> or `rx_filter_core_wl` is called.
> 
> This patch adds a check in both functions to return immediately if
> `bcmasp_netfilt_get_reg_offset` fails. This prevents potential out-of-bounds read
> or writes, and ensures that no undefined or buggy behavior would originate from
> the failure of `bcmasp_netfilt_get_reg_offset`.
> 
> Addresses-Coverity-IDs: 1544536 ("Out-of-bounds access")
> Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
> ---
>  drivers/net/ethernet/broadcom/asp2/bcmasp.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
> index 29b04a274d07..8b90b761bdec 100644
> --- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
> +++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
> @@ -227,6 +227,8 @@ static void bcmasp_netfilt_wr(struct bcmasp_priv *priv,
>  
>  	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
>  						   offset);
> +	if (reg_offset < 0)
> +		return;
>  
>  	rx_filter_core_wl(priv, val, reg_offset);
>  }
> @@ -244,6 +246,8 @@ static u32 bcmasp_netfilt_rd(struct bcmasp_priv *priv,
>  
>  	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
>  						   offset);
> +	if (reg_offset < 0)
> +		return 0;

Shouldn't you return an error here?

thanks

greg k-h
Yuran Pereira Nov. 3, 2023, 1:42 p.m. UTC | #2 
Hello Greg,
On Fri, Nov 03, 2023 at 01:57:13PM +0100, Greg KH wrote:
> >  	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
> >  						   offset);
> > +	if (reg_offset < 0)
> > +		return 0;
> 
> Shouldn't you return an error here?

Yes, I think that makes sense. I might just return `reg_offset`
since it is bound to be -EINVAL when bcmasp_netfilt_get_reg_offset
fails.

But that now makes me wonder whether the previous check in that
function which currently returns 0, shouldn't be returning `-EINVAL`
instead.

```
static u32 bcmasp_netfilt_rd(struct bcmasp_priv *priv,
...
{
	if (!IS_ALIGNED(offset, 4) || offset > MAX_WAKE_FILTER_SIZE)
		return 0;   <----- Should this one be -EINVAL?
}
```

Thank you for the feedback.

Yuran
Yuran Pereira Nov. 3, 2023, 2:14 p.m. UTC | #3 
I guess that explains why the first check returns 0.

```
static int bcmasp_netfilt_wr_m_wake(struct bcmasp_priv *priv,
...
{
		...
        if (first_byte && (!IS_ALIGNED(offset, 4) || size < 3)) {
            match_val = bcmasp_netfilt_rd(priv, nfilt,
                              ASP_NETFILT_MATCH,
                              ALIGN_DOWN(offset, 4));
            mask_val = bcmasp_netfilt_rd(priv, nfilt,
                             ASP_NETFILT_MASK,
                             ALIGN_DOWN(offset, 4));
        }

        shift = (3 - (offset % 4)) * 8;
        match_val &= ~GENMASK(shift + 7, shift);
        mask_val &= ~GENMASK(shift + 7, shift);
        match_val |= (u32)(*((u8 *)match) << shift);
        mask_val |= (u32)(*((u8 *)mask) << shift);

```
Yuran Pereira Nov. 3, 2023, 2:19 p.m. UTC | #4 
On a second thought, it might not be a good idea to return
an error without modifying the caller, since the caller of
this function currently uses this return value without checking
if it's an error.
I guess that explains why the first check returns 0.

```
static int bcmasp_netfilt_wr_m_wake(struct bcmasp_priv *priv,
...
{
		...
        if (first_byte && (!IS_ALIGNED(offset, 4) || size < 3)) {
            match_val = bcmasp_netfilt_rd(priv, nfilt,
                              ASP_NETFILT_MATCH,
                              ALIGN_DOWN(offset, 4));
            mask_val = bcmasp_netfilt_rd(priv, nfilt,
                             ASP_NETFILT_MASK,
                             ALIGN_DOWN(offset, 4));
        }

        shift = (3 - (offset % 4)) * 8;
        match_val &= ~GENMASK(shift + 7, shift);
        mask_val &= ~GENMASK(shift + 7, shift);
        match_val |= (u32)(*((u8 *)match) << shift);
        mask_val |= (u32)(*((u8 *)mask) << shift);

```
Justin Chen Nov. 3, 2023, 6:23 p.m. UTC | #5 
On 11/3/23 5:57 AM, Greg KH wrote:
> On Fri, Nov 03, 2023 at 05:57:48PM +0530, Yuran Pereira wrote:
>> The functions `bcmasp_netfilt_rd` and `bcmasp_netfilt_wr` both call
>> `bcmasp_netfilt_get_reg_offset` which, when it fails, returns `-EINVAL`.
>> This could lead to an out-of-bounds read or write when `rx_filter_core_rl`
>> or `rx_filter_core_wl` is called.
>>
>> This patch adds a check in both functions to return immediately if
>> `bcmasp_netfilt_get_reg_offset` fails. This prevents potential out-of-bounds read
>> or writes, and ensures that no undefined or buggy behavior would originate from
>> the failure of `bcmasp_netfilt_get_reg_offset`.
>>
>> Addresses-Coverity-IDs: 1544536 ("Out-of-bounds access")
>> Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
>> ---
>>   drivers/net/ethernet/broadcom/asp2/bcmasp.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
>> index 29b04a274d07..8b90b761bdec 100644
>> --- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
>> +++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
>> @@ -227,6 +227,8 @@ static void bcmasp_netfilt_wr(struct bcmasp_priv *priv,
>>   
>>   	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
>>   						   offset);
>> +	if (reg_offset < 0)
>> +		return;
>>   
>>   	rx_filter_core_wl(priv, val, reg_offset);
>>   }
>> @@ -244,6 +246,8 @@ static u32 bcmasp_netfilt_rd(struct bcmasp_priv *priv,
>>   
>>   	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
>>   						   offset);
>> +	if (reg_offset < 0)
>> +		return 0;
> 
> Shouldn't you return an error here?
> 
> thanks
> 
> greg k-h

As long as offset is less than MAX_WAKE_FILTER_SIZE we don't need to 
worry about error checking. This is already checked before we call 
netfilt_get_reg_offset() in both cases. Instead of returning -EINVAL in 
neffilt_get_reg_offset() lets return 0. This will silence the coverity 
check. In practice we will never hit this logic.

Thanks,
Justin
Greg KH Nov. 3, 2023, 6:33 p.m. UTC | #6 
On Fri, Nov 03, 2023 at 11:23:16AM -0700, Justin Chen wrote:
> 
> 
> On 11/3/23 5:57 AM, Greg KH wrote:
> > On Fri, Nov 03, 2023 at 05:57:48PM +0530, Yuran Pereira wrote:
> > > The functions `bcmasp_netfilt_rd` and `bcmasp_netfilt_wr` both call
> > > `bcmasp_netfilt_get_reg_offset` which, when it fails, returns `-EINVAL`.
> > > This could lead to an out-of-bounds read or write when `rx_filter_core_rl`
> > > or `rx_filter_core_wl` is called.
> > > 
> > > This patch adds a check in both functions to return immediately if
> > > `bcmasp_netfilt_get_reg_offset` fails. This prevents potential out-of-bounds read
> > > or writes, and ensures that no undefined or buggy behavior would originate from
> > > the failure of `bcmasp_netfilt_get_reg_offset`.
> > > 
> > > Addresses-Coverity-IDs: 1544536 ("Out-of-bounds access")
> > > Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
> > > ---
> > >   drivers/net/ethernet/broadcom/asp2/bcmasp.c | 4 ++++
> > >   1 file changed, 4 insertions(+)
> > > 
> > > diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
> > > index 29b04a274d07..8b90b761bdec 100644
> > > --- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
> > > +++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
> > > @@ -227,6 +227,8 @@ static void bcmasp_netfilt_wr(struct bcmasp_priv *priv,
> > >   	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
> > >   						   offset);
> > > +	if (reg_offset < 0)
> > > +		return;
> > >   	rx_filter_core_wl(priv, val, reg_offset);
> > >   }
> > > @@ -244,6 +246,8 @@ static u32 bcmasp_netfilt_rd(struct bcmasp_priv *priv,
> > >   	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
> > >   						   offset);
> > > +	if (reg_offset < 0)
> > > +		return 0;
> > 
> > Shouldn't you return an error here?
> > 
> > thanks
> > 
> > greg k-h
> 
> As long as offset is less than MAX_WAKE_FILTER_SIZE we don't need to worry
> about error checking. This is already checked before we call
> netfilt_get_reg_offset() in both cases. Instead of returning -EINVAL in
> neffilt_get_reg_offset() lets return 0. This will silence the coverity
> check. In practice we will never hit this logic.

Then don't change it, coverity is incorrect here.

greg k-h
diff mbox series

Patch

diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
index 29b04a274d07..8b90b761bdec 100644
--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
@@ -227,6 +227,8 @@  static void bcmasp_netfilt_wr(struct bcmasp_priv *priv,
 
 	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
 						   offset);
+	if (reg_offset < 0)
+		return;
 
 	rx_filter_core_wl(priv, val, reg_offset);
 }
@@ -244,6 +246,8 @@  static u32 bcmasp_netfilt_rd(struct bcmasp_priv *priv,
 
 	reg_offset = bcmasp_netfilt_get_reg_offset(priv, nfilt, reg_type,
 						   offset);
+	if (reg_offset < 0)
+		return 0;
 
 	return rx_filter_core_rl(priv, reg_offset);
 }