[PATCHv2] USB: gl620a: check for rx buffer overflow

Message ID	20231122095306.15175-1-oneukum@suse.com (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="lKuq8ARl" From: Oliver Neukum <oneukum@suse.com> To: dmitry.bezrukov@aquantia.com, marcinguy@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-usb@vger.kernel.org, netdev@vger.kernel.org Cc: Oliver Neukum <oneukum@suse.com> Subject: [PATCHv2] USB: gl620a: check for rx buffer overflow Date: Wed, 22 Nov 2023 10:52:22 +0100 Message-ID: <20231122095306.15175-1-oneukum@suse.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[PATCHv2] USB: gl620a: check for rx buffer overflow \| expand [PATCHv2] USB: gl620a: check for rx buffer overflow

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/codegen	success	Generated files up to date
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1127 this patch: 1127
netdev/cc_maintainers	success	CCed 6 of 6 maintainers
netdev/build_clang	success	Errors and warnings before: 1154 this patch: 1154
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1154 this patch: 1154
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Oliver Neukum Nov. 22, 2023, 9:52 a.m. UTC

The driver checks for a single package overflowing
maximum size. That needs to be done, but it is not
enough. As a single transmission can contain a high
number of packets, we also need to check whether
the aggregate of messages in itself short enough
overflow the buffer.
That is easiest done by checking that the current
packet does not overflow the buffer.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---

v2: corrected typo in commit message
 
 drivers/net/usb/gl620a.c | 4 ++++
 1 file changed, 4 insertions(+)

Sergey Shtylyov Nov. 22, 2023, 9:55 a.m. UTC | #1

On 11/22/23 12:52 PM, Oliver Neukum wrote:

> The driver checks for a single package overflowing

   Maybe packet?

> maximum size. That needs to be done, but it is not
> enough. As a single transmission can contain a high
> number of packets, we also need to check whether
> the aggregate of messages in itself short enough
> overflow the buffer.
> That is easiest done by checking that the current
> packet does not overflow the buffer.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
[...]

MBR, Sergey

Oliver Neukum Nov. 22, 2023, 10:04 a.m. UTC | #2

On 22.11.23 10:55, Sergey Shtylyov wrote:
> On 11/22/23 12:52 PM, Oliver Neukum wrote:
> 
>> The driver checks for a single package overflowing
> 
>     Maybe packet?

No, that would be read as network packet, which
is precisely what this not not and should not
be mistaken for.

	Regards
		Oliver

Sergei Shtylyov Nov. 22, 2023, 10:07 a.m. UTC | #3

On 11/22/23 1:04 PM, Oliver Neukum wrote:

[...]
>>> The driver checks for a single package overflowing
>>
>>     Maybe packet?
> 
> No, that would be read as network packet, which
> is precisely what this not not and should not
> be mistaken for.

   But "package" hardly fits either. Is it a USB packet or something else?

>     Regards
>         Oliver

MBR, Sergey

Oliver Neukum Nov. 22, 2023, 10:20 a.m. UTC | #4

On 22.11.23 11:07, Sergei Shtylyov wrote:
> On 11/22/23 1:04 PM, Oliver Neukum wrote:
> 
> [...]
>>>> The driver checks for a single package overflowing
>>>
>>>      Maybe packet?
>>
>> No, that would be read as network packet, which
>> is precisely what this not not and should not
>> be mistaken for.
> 
>     But "package" hardly fits either. Is it a USB packet or something else?

Technically the content of the buffer associated
with a single URB. Which on USB physically can be multiple
packets. The network packets arrive together in a package.
That is how this and related drivers operate.

	Regards
		Oliver

Simon Horman Nov. 24, 2023, 11:53 a.m. UTC | #5

On Wed, Nov 22, 2023 at 11:20:47AM +0100, Oliver Neukum wrote:
> 
> 
> On 22.11.23 11:07, Sergei Shtylyov wrote:
> > On 11/22/23 1:04 PM, Oliver Neukum wrote:
> > 
> > [...]
> > > > > The driver checks for a single package overflowing
> > > > 
> > > >      Maybe packet?
> > > 
> > > No, that would be read as network packet, which
> > > is precisely what this not not and should not
> > > be mistaken for.
> > 
> >     But "package" hardly fits either. Is it a USB packet or something else?
> 
> Technically the content of the buffer associated
> with a single URB. Which on USB physically can be multiple
> packets. The network packets arrive together in a package.
> That is how this and related drivers operate.

I think it would be useful to include information along the lines
of the above in the patch description.

Oliver Neukum Nov. 30, 2023, 9:38 a.m. UTC | #6

On 24.11.23 12:53, Simon Horman wrote:
>
> 
> I think it would be useful to include information along the lines
> of the above in the patch description.

Hi,

I see why you want this information to be available.
So I thought about it and I think this should be
either in Documentation or in a comment in usbnet,
so that new drivers include the necessary checks
from the start. What do you think?

	Regards
		Oliver

Simon Horman Nov. 30, 2023, 4:42 p.m. UTC | #7

On Thu, Nov 30, 2023 at 10:38:09AM +0100, Oliver Neukum wrote:
> On 24.11.23 12:53, Simon Horman wrote:
> > 
> > 
> > I think it would be useful to include information along the lines
> > of the above in the patch description.
> 
> Hi,
> 
> I see why you want this information to be available.
> So I thought about it and I think this should be
> either in Documentation or in a comment in usbnet,
> so that new drivers include the necessary checks
> from the start. What do you think?

Hi Oliver,

yes, now you mention it that does seem appropriate.
And I don't think that doing so gates this patch.

Reviewed-by: Simon Horman <horms@kernel.org>

Paolo Abeni Dec. 5, 2023, 8:04 a.m. UTC | #8

On Wed, 2023-11-22 at 10:52 +0100, Oliver Neukum wrote:
> The driver checks for a single package overflowing
> maximum size. That needs to be done, but it is not
> enough. As a single transmission can contain a high
> number of packets, we also need to check whether
> the aggregate of messages in itself short enough
> overflow the buffer.
> That is easiest done by checking that the current
> packet does not overflow the buffer.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>

This looks like a bugfix, so a suitable Fixes tag should be included.

> ---
> 
> v2: corrected typo in commit message
>  
>  drivers/net/usb/gl620a.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/usb/gl620a.c b/drivers/net/usb/gl620a.c
> index 46af78caf457..d33ae15abdc1 100644
> --- a/drivers/net/usb/gl620a.c
> +++ b/drivers/net/usb/gl620a.c
> @@ -104,6 +104,10 @@ static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
>  			return 0;
>  		}
>  
> +		/* we also need to check for overflowing the buffer */
> +		if (size > skb->len)
> +			return 0;

I think the above is not strict enough: at this point skb->data points
to the gl_packet header. The first 4 bytes in skb are gl_packet-
>packet_length. To ensure an overflow is avoided you should check for:

		if (size + 4 > skb->len)

likely with a describing comment.

Cheers,

Paolo

Oliver Neukum Dec. 5, 2023, 10:21 a.m. UTC | #9

On 05.12.23 09:04, Paolo Abeni wrote:

Hi,

> I think the above is not strict enough: at this point skb->data points
> to the gl_packet header. The first 4 bytes in skb are gl_packet-
>> packet_length. To ensure an overflow is avoided you should check for:
> 
> 		if (size + 4 > skb->len)
> 
> likely with a describing comment.

it seems to me that at the time of the check skb->len has already
been adjusted by the skb_pull() before, respectively at the end, of
the loop.

	Regards
		Oliver

[PATCHv2] USB: gl620a: check for rx buffer overflow

Checks

Commit Message

Comments

Patch