Message ID | 20240622063227.456107-1-qq810974084@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [V3] hippi: fix possible buffer overflow caused by bad DMA value in rr_start_xmit() | expand |
> …. Becausetxctrl->pi is assigned to … Word separation? > To address this issue, the index should be checked. Can an imperative wording be more desirable for such a change description? https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.10-rc4#n94 Regards, Markus
diff --git a/drivers/net/hippi/rrunner.c b/drivers/net/hippi/rrunner.c index aa8f828a0ae7..f4da342dd5cc 100644 --- a/drivers/net/hippi/rrunner.c +++ b/drivers/net/hippi/rrunner.c @@ -1440,6 +1440,12 @@ static netdev_tx_t rr_start_xmit(struct sk_buff *skb, txctrl = &rrpriv->info->tx_ctrl; index = txctrl->pi; + if (index >= TX_RING_ENTRIES) { + netdev_err(dev, "invalid index value %02x\n", index); + netif_stop_queue(dev); + spin_unlock_irqrestore(&rrpriv->lock, flags); + return NETDEV_TX_BUSY; + } rrpriv->tx_skbuff[index] = skb; set_rraddr(&rrpriv->tx_ring[index].addr,
The value rrpriv->info->tx_ctrl is stored in DMA memory, and it is assigned to txctrl, so txctrl->pi can be modified at any time by malicious hardware. Becausetxctrl->pi is assigned to index, buffer overflow may occur when the code "rrpriv->tx_skbuff[index]" is executed. To address this issue, the index should be checked. Fixes: f33a7251c825 ("hippi: switch from 'pci_' to 'dma_' API") Signed-off-by: Huai-Yuan Liu <qq810974084@gmail.com> --- V2: * In patch V2, we remove the first condition in if statement and use netdev_err() instead of printk(). Thanks Paolo Abeni for helpful advice. V3: * In patch V3, we stop the queue before return BUSY. Thanks to Jakub Kicinski for his advice. --- drivers/net/hippi/rrunner.c | 6 ++++++ 1 file changed, 6 insertions(+)