lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 14 Feb 2022 10:41:29 +0800
From:   Haiyue Wang <haiyue.wang@...el.com>
To:     netdev@...r.kernel.org
Cc:     Haiyue Wang <haiyue.wang@...el.com>,
        Jeroen de Borst <jeroendb@...gle.com>,
        Catherine Sullivan <csully@...gle.com>,
        David Awogbemila <awogbemila@...gle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Willem de Bruijn <willemb@...gle.com>,
        Bailey Forrest <bcf@...gle.com>, Tao Liu <xliutaox@...gle.com>,
        Christophe JAILLET <christophe.jaillet@...adoo.fr>,
        John Fraker <jfraker@...gle.com>,
        Yangchun Fu <yangchun@...gle.com>,
        linux-kernel@...r.kernel.org (open list)
Subject: [PATCH v1] gve: fix zero size queue page list allocation

According to the two functions 'gve_num_tx/rx_qpls', only the queue with
GVE_GQI_QPL_FORMAT format has queue page list.

The 'queue_format == GVE_GQI_RDA_FORMAT' may lead to request zero sized
memory allocation, like if the queue format is GVE_DQO_RDA_FORMAT.

The kernel memory subsystem will return ZERO_SIZE_PTR, which is not NULL
address, so the driver can run successfully. Also the code still checks
the queue page list number firstly, then accesses the allocated memory,
so zero number queue page list allocation will not lead to access fault.

Use the queue page list number to detect no QPLs, it can avoid zero size
queue page list memory allocation.

Fixes: a5886ef4f4bf ("gve: Introduce per netdev `enum gve_queue_format`")
Signed-off-by: Haiyue Wang <haiyue.wang@...el.com>
---
 drivers/net/ethernet/google/gve/gve_main.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
index 54e51c8221b8..6cafee55efc3 100644
--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -857,8 +857,7 @@ static int gve_alloc_qpls(struct gve_priv *priv)
 	int i, j;
 	int err;
 
-	/* Raw addressing means no QPLs */
-	if (priv->queue_format == GVE_GQI_RDA_FORMAT)
+	if (num_qpls == 0)
 		return 0;
 
 	priv->qpls = kvcalloc(num_qpls, sizeof(*priv->qpls), GFP_KERNEL);
@@ -901,8 +900,7 @@ static void gve_free_qpls(struct gve_priv *priv)
 	int num_qpls = gve_num_tx_qpls(priv) + gve_num_rx_qpls(priv);
 	int i;
 
-	/* Raw addressing means no QPLs */
-	if (priv->queue_format == GVE_GQI_RDA_FORMAT)
+	if (num_qpls == 0)
 		return;
 
 	kvfree(priv->qpl_cfg.qpl_id_map);
-- 
2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ