lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jan 2024 14:35:59 +0000
From: Danielle Ratson <danieller@...dia.com>
To: Simon Horman <horms@...nel.org>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "davem@...emloft.net"
	<davem@...emloft.net>, "edumazet@...gle.com" <edumazet@...gle.com>,
	"kuba@...nel.org" <kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com>,
	"corbet@....net" <corbet@....net>, "linux@...linux.org.uk"
	<linux@...linux.org.uk>, "sdf@...gle.com" <sdf@...gle.com>,
	"kory.maincent@...tlin.com" <kory.maincent@...tlin.com>,
	"maxime.chevallier@...tlin.com" <maxime.chevallier@...tlin.com>,
	"vladimir.oltean@....com" <vladimir.oltean@....com>,
	"przemyslaw.kitszel@...el.com" <przemyslaw.kitszel@...el.com>,
	"ahmed.zaki@...el.com" <ahmed.zaki@...el.com>, "richardcochran@...il.com"
	<richardcochran@...il.com>, "shayagr@...zon.com" <shayagr@...zon.com>,
	"paul.greenwalt@...el.com" <paul.greenwalt@...el.com>, "jiri@...nulli.us"
	<jiri@...nulli.us>, "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, mlxsw
	<mlxsw@...dia.com>, Petr Machata <petrm@...dia.com>, Ido Schimmel
	<idosch@...dia.com>
Subject: RE: [RFC PATCH net-next 7/9] ethtool: cmis_cdb: Add a layer for
 supporting CDB commands

> -----Original Message-----
> From: Simon Horman <horms@...nel.org>
> Sent: Monday, 22 January 2024 12:31
> To: Danielle Ratson <danieller@...dia.com>
> Cc: netdev@...r.kernel.org; davem@...emloft.net; edumazet@...gle.com;
> kuba@...nel.org; pabeni@...hat.com; corbet@....net;
> linux@...linux.org.uk; sdf@...gle.com; kory.maincent@...tlin.com;
> maxime.chevallier@...tlin.com; vladimir.oltean@....com;
> przemyslaw.kitszel@...el.com; ahmed.zaki@...el.com;
> richardcochran@...il.com; shayagr@...zon.com;
> paul.greenwalt@...el.com; jiri@...nulli.us; linux-doc@...r.kernel.org; linux-
> kernel@...r.kernel.org; mlxsw <mlxsw@...dia.com>; Petr Machata
> <petrm@...dia.com>; Ido Schimmel <idosch@...dia.com>
> Subject: Re: [RFC PATCH net-next 7/9] ethtool: cmis_cdb: Add a layer for
> supporting CDB commands
> 
> On Mon, Jan 22, 2024 at 10:45:28AM +0200, Danielle Ratson wrote:
> 
> ...
> 
> > +/**
> > + * struct ethtool_cmis_cdb_request - CDB commands request fields as
> decribed in
> > + *				the CMIS standard
> > + * @id: Command ID.
> > + * @epl_len: EPL memory length.
> > + * @lpl_len: LPL memory length.
> > + * @chk_code: Check code for the previous field and the payload.
> > + * @resv1: Added to match the CMIS standard request continuity.
> > + * @resv2: Added to match the CMIS standard request continuity.
> > + * @payload: Payload for the CDB commands.
> > + */
> > +struct ethtool_cmis_cdb_request {
> > +	__be16 id;
> > +	struct_group(body,
> > +		u16 epl_len;
> > +		u8 lpl_len;
> > +		u8 chk_code;
> > +		u8 resv1;
> > +		u8 resv2;
> > +		u8 payload[ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH];
> > +	);
> > +};
> > +
> > +#define CDB_F_COMPLETION_VALID		BIT(0)
> > +#define CDB_F_STATUS_VALID		BIT(1)
> > +
> > +/**
> > + * struct ethtool_cmis_cdb_cmd_args - CDB commands execution
> > +arguments
> > + * @req: CDB command fields as described in the CMIS standard.
> > + * @max_duration: Maximum duration time for command completion in
> msec.
> > + * @read_write_len_ext: Allowable additional number of byte octets to the
> LPL
> > + *			in a READ or a WRITE commands.
> > + * @rpl_exp_len: Expected reply length in bytes.
> > + * @flags: Validation flags for CDB commands.
> > + */
> > +struct ethtool_cmis_cdb_cmd_args {
> > +	struct ethtool_cmis_cdb_request req;
> > +	u16				max_duration;
> > +	u8				read_write_len_ext;
> > +	u8                              rpl_exp_len;
> > +	u8				flags;
> > +};
> 
> ...
> 
> > +int ethtool_cmis_page_init(struct ethtool_module_eeprom *page_data,
> > +			   u8 page, u32 offset, u32 length) {
> > +	page_data->page = page;
> > +	page_data->offset = offset;
> > +	page_data->length = length;
> > +	page_data->i2c_address = ETHTOOL_CMIS_CDB_PAGE_I2C_ADDR;
> > +	page_data->data = kmalloc(page_data->length, GFP_KERNEL);
> > +	if (!page_data->data)
> > +		return -ENOMEM;
> > +
> > +	return 0;
> > +}
> 
> ...
> 
> > +static int
> > +__ethtool_cmis_cdb_execute_cmd(struct net_device *dev,
> > +			       struct ethtool_module_eeprom *page_data,
> > +			       u32 offset, u32 length, void *data) {
> > +	const struct ethtool_ops *ops = dev->ethtool_ops;
> > +	struct netlink_ext_ack extack = {};
> > +	int err;
> > +
> > +	page_data->offset = offset;
> > +	page_data->length = length;
> > +
> > +	memset(page_data->data, 0,
> ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH);
> > +	memcpy(page_data->data, data, page_data->length);
> > +
> > +	err = ops->set_module_eeprom_by_page(dev, page_data, &extack);
> > +	if (err < 0) {
> > +		if (extack._msg)
> > +			netdev_err(dev, "%s\n", extack._msg);
> > +	}
> > +
> > +	return err;
> > +}
> 
> ...
> 
> > +int ethtool_cmis_cdb_execute_cmd(struct net_device *dev,
> > +				 struct ethtool_cmis_cdb_cmd_args *args) {
> > +	struct ethtool_module_eeprom page_data = {};
> > +	u32 offset;
> > +	int err;
> > +
> > +	args->req.chk_code =
> > +		cmis_cdb_calc_checksum(&args->req, sizeof(args->req));
> > +
> > +	if (args->req.lpl_len > args->read_write_len_ext) {
> > +		ethnl_module_fw_flash_ntf_err(dev,
> > +					      "LPL length is longer than CDB read
> write length extension allows");
> > +		return -EINVAL;
> > +	}
> > +
> > +	err = ethtool_cmis_page_init(&page_data,
> ETHTOOL_CMIS_CDB_CMD_PAGE, 0,
> > +
> ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH);
> 
> ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH is passed as the length argument
> of ethtool_cmis_page_init, which will allocate that many bytes for page_data-
> >data.
> 
> > +	if (err < 0)
> > +		return err;
> > +
> > +	/* According to the CMIS standard, there are two options to trigger
> the
> > +	 * CDB commands. The default option is triggering the command by
> writing
> > +	 * the CMDID bytes. Therefore, the command will be split to 2 calls:
> > +	 * First, with everything except the CMDID field and then the CMDID
> > +	 * field.
> > +	 */
> > +	offset = CMIS_CDB_CMD_ID_OFFSET +
> > +		offsetof(struct ethtool_cmis_cdb_request, body);
> > +	err = __ethtool_cmis_cdb_execute_cmd(dev, &page_data, offset,
> > +					     sizeof(args->req.body),
> > +					     &args->req.body);
> 
> Hi Danielle,
> 
> However, here sizeof(args->req.body) is passed as the length argument of
> __ethtool_cmis_cdb_execute_cmd() which will:
> 
> 1. Zero ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH bytes of page_data->data
> 2. Copy sizeof(args->req.body) bytes into page_data->data
> 
> args->req.body includes several fields, one of which is
> ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH bytes long. So,
> args->req.body > ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH
> and it seems that step 2 above causes a buffer overrun.
> 
> Flagged by clang-17 W=1 build
> 
>  In file included from net/ethtool/cmis_cdb.c:3:
>  In file included from ./include/linux/ethtool.h:16:
>  In file included from ./include/linux/bitmap.h:12:
>  In file included from ./include/linux/string.h:295:
>  ./include/linux/fortify-string.h:579:4: error: call to '__write_overflow_field'
> declared with 'warning' attribute: detected write beyond size of field (1st
> parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
>    579 |                         __write_overflow_field(p_size_field, size);
>        |                         ^
>  ./include/linux/fortify-string.h:579:4: error: call to '__write_overflow_field'
> declared with 'warning' attribute: detected write beyond size of field (1st
> parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
>  ./include/linux/fortify-string.h:579:4: error: call to '__write_overflow_field'
> declared with 'warning' attribute: detected write beyond size of field (1st
> parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
> 

Hi Simon,

Thanks for the feedback.

Ill fix that, something like:

diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index b27e12871816..888b02e6eade 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c
@@ -521,7 +521,7 @@ int ethtool_cmis_cdb_execute_cmd(struct net_device *dev,
        }

        err = ethtool_cmis_page_init(&page_data, ETHTOOL_CMIS_CDB_CMD_PAGE, 0,
-                                    ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH);
+                                    sizeof(args->req.body));
        if (err < 0)
                return err;

Danielle

> 
> > +	if (err < 0)
> > +		goto out;
> > +
> > +	offset = CMIS_CDB_CMD_ID_OFFSET +
> > +		offsetof(struct ethtool_cmis_cdb_request, id);
> > +	err = __ethtool_cmis_cdb_execute_cmd(dev, &page_data, offset,
> > +					     sizeof(args->req.id),
> > +					     &args->req.id);
> > +	if (err < 0)
> > +		goto out;
> > +
> > +	err = cmis_cdb_wait_for_completion(dev, args);
> > +	if (err < 0)
> > +		goto out;
> > +
> > +	err = cmis_cdb_wait_for_status(dev, args);
> > +	if (err < 0)
> > +		goto out;
> > +
> > +	err = cmis_cdb_process_reply(dev, &page_data, args);
> > +
> > +out:
> > +	ethtool_cmis_page_fini(&page_data);
> > +	return err;
> > +}
> 
> ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ