Message ID | 20200802153930.5271-1-baijiaju@tsinghua.edu.cn |
---|---|
State | Changes Requested |
Delegated to: | David Miller |
Headers | show |
Series | net: sfc: fix possible buffer overflow caused by bad DMA value in efx_siena_sriov_vfdi() | expand |
On 02/08/2020 16:39, Jia-Ju Bai wrote: > To fix this problem, "req->op" is assigned to a local variable, and then > the driver accesses this variable instead of "req->op". > > Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn> Not sure how necessary this is (or even if anyone's still usingSiena SR-IOV, since it needed a specially-patched libvirt to work), but I don't see any reason to refuse. > diff --git a/drivers/net/ethernet/sfc/siena_sriov.c b/drivers/net/ethernet/sfc/siena_sriov.c > index 83dcfcae3d4b..21a8482cbb3b 100644 > --- a/drivers/net/ethernet/sfc/siena_sriov.c > +++ b/drivers/net/ethernet/sfc/siena_sriov.c > @@ -875,6 +875,7 @@ static void efx_siena_sriov_vfdi(struct work_struct *work) > struct vfdi_req *req = vf->buf.addr; > struct efx_memcpy_req copy[2]; > int rc; > + u32 op = req->op; Could you maybe fix up the xmas here, rather than making it worse? Also, you didn't specify in your Subject line which tree this is for. -ed
diff --git a/drivers/net/ethernet/sfc/siena_sriov.c b/drivers/net/ethernet/sfc/siena_sriov.c index 83dcfcae3d4b..21a8482cbb3b 100644 --- a/drivers/net/ethernet/sfc/siena_sriov.c +++ b/drivers/net/ethernet/sfc/siena_sriov.c @@ -875,6 +875,7 @@ static void efx_siena_sriov_vfdi(struct work_struct *work) struct vfdi_req *req = vf->buf.addr; struct efx_memcpy_req copy[2]; int rc; + u32 op = req->op; /* Copy this page into the local address space */ memset(copy, '\0', sizeof(copy)); @@ -894,17 +895,17 @@ static void efx_siena_sriov_vfdi(struct work_struct *work) return; } - if (req->op < VFDI_OP_LIMIT && vfdi_ops[req->op] != NULL) { - rc = vfdi_ops[req->op](vf); + if (op < VFDI_OP_LIMIT && vfdi_ops[op] != NULL) { + rc = vfdi_ops[op](vf); if (rc == 0) { netif_dbg(efx, hw, efx->net_dev, "vfdi request %d from %s ok\n", - req->op, vf->pci_name); + op, vf->pci_name); } } else { netif_dbg(efx, hw, efx->net_dev, "ERROR: Unrecognised request %d from VF %s addr " - "%llx\n", req->op, vf->pci_name, + "%llx\n", op, vf->pci_name, (unsigned long long)vf->req_addr); rc = VFDI_RC_EOPNOTSUPP; }
In efx_siena_sriov_vfdi(): req = vf->buf.addr; Because "vf->buf.addr" is mapped to coherent DMA (allocated in efx_nic_alloc_buffer()), "req" is also mapped to DMA. Then "req->op" is accessed in this function: if (req->op < VFDI_OP_LIMIT && vfdi_ops[req->op] != NULL) { rc = vfdi_ops[req->op](vf); Because "req" is mapped to DMA, its data can be modified at any time by malicious or malfunctioning hardware. In this case, the check "if (req->op < VFDI_OP_LIMIT)" can be passed, and then "req->op" can be modified to cause buffer overflow when the driver accesses "vfdi_ops[req->op]". To fix this problem, "req->op" is assigned to a local variable, and then the driver accesses this variable instead of "req->op". Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn> --- drivers/net/ethernet/sfc/siena_sriov.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)