| Message ID | 20210203113513.558864-2-parri.andrea@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 0102eeedb71757d6589144cf019424f69b3ab289 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | Amend "hv_netvsc: Copy packets sent by Hyper-V out of the receive buffer" | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for net-next |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | success | CCed 9 of 9 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | warning | CHECK: Comparison to NULL could be written "!nvchan->recv_buf" WARNING: line length of 86 exceeds 80 columns |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
| netdev/stable | success | Stable not CCed |
diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c index 0fba8257fc119..9db1ea3affbb3 100644 --- a/drivers/net/hyperv/netvsc.c +++ b/drivers/net/hyperv/netvsc.c @@ -311,7 +311,7 @@ static int netvsc_init_buf(struct hv_device *device, struct nvsp_message *init_packet; unsigned int buf_size; size_t map_words; - int ret = 0; + int i, ret = 0; /* Get receive buffer area. */ buf_size = device_info->recv_sections * device_info->recv_section_size; @@ -405,6 +405,16 @@ static int netvsc_init_buf(struct hv_device *device, goto cleanup; } + for (i = 0; i < VRSS_CHANNEL_MAX; i++) { + struct netvsc_channel *nvchan = &net_device->chan_table[i]; + + nvchan->recv_buf = kzalloc(net_device->recv_section_size, GFP_KERNEL); + if (nvchan->recv_buf == NULL) { + ret = -ENOMEM; + goto cleanup; + } + } + /* Setup receive completion ring. * Add 1 to the recv_section_cnt because at least one entry in a * ring buffer has to be empty. @@ -1549,12 +1559,6 @@ struct netvsc_device *netvsc_device_add(struct hv_device *device, for (i = 0; i < VRSS_CHANNEL_MAX; i++) { struct netvsc_channel *nvchan = &net_device->chan_table[i]; - nvchan->recv_buf = kzalloc(device_info->recv_section_size, GFP_KERNEL); - if (nvchan->recv_buf == NULL) { - ret = -ENOMEM; - goto cleanup2; - } - nvchan->channel = device->channel; nvchan->net_device = net_device; u64_stats_init(&nvchan->tx_stats.syncp);
The recv_buf buffers are allocated in netvsc_device_add(). Later in netvsc_init_buf() the response to NVSP_MSG1_TYPE_SEND_RECV_BUF allows the host to set up a recv_section_size that could be bigger than the (default) value used for that allocation. The host-controlled value could be used by a malicious host to bypass the check on the packet's length in netvsc_receive() and hence to overflow the recv_buf buffer. Move the allocation of the recv_buf buffers into netvsc_init_but(). Reported-by: Juan Vazquez <juvazq@microsoft.com> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: netdev@vger.kernel.org Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the receive buffer") --- drivers/net/hyperv/netvsc.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-)