lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220418231746.2464800-1-grundler@chromium.org> Date: Mon, 18 Apr 2022 16:17:41 -0700 From: Grant Grundler <grundler@...omium.org> To: Igor Russkikh <irusskikh@...vell.com> Cc: Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, netdev <netdev@...r.kernel.org>, "David S . Miller" <davem@...emloft.net>, LKML <linux-kernel@...r.kernel.org>, Aashay Shringarpure <aashay@...gle.com>, Yi Chou <yich@...gle.com>, Shervin Oloumi <enlightened@...gle.com>, Grant Grundler <grundler@...omium.org> Subject: [PATCH 0/5] net: atlantic: more fuzzing fixes The Chrome OS fuzzing team posted a "Fuzzing" report for atlantic driver in Q4 2021 using Chrome OS v5.4 kernel and "Cable Matters Thunderbolt 3 to 10 Gb Ethernet" (b0 version): https://docs.google.com/document/d/e/2PACX-1vT4oCGNhhy_AuUqpu6NGnW0N9HF_jxf2kS7raOpOlNRqJNiTHAtjiHRthXYSeXIRTgfeVvsEt0qK9qK/pub It essentially describes four problems: 1) validate rxd_wb->next_desc_ptr before populating buff->next 2) "frag[0] not initialized" case in aq_ring_rx_clean() 3) limit iterations handling fragments in aq_ring_rx_clean() 4) validate hw_head_ in hw_atl_b0_hw_ring_tx_head_update() I've added one "clean up" contribution: "net: atlantic: reduce scope of is_rsc_complete" I tested the "original" patches using chromeos-v5.4 kernel branch: https://chromium-review.googlesource.com/q/hashtag:pcinet-atlantic-2022q1+(status:open%20OR%20status:merged) The fuzzing team will retest using the chromeos-v5.4 patches and the b0 HW. I've forward ported those patches to 5.18-rc2 and compiled them but am currently unable to test them on 5.18-rc2 kernel (logistics problems). I'm confident in all but the last patch: "net: atlantic: verify hw_head_ is reasonable" Please verify I'm not confusing how ring->sw_head and ring->sw_tail are used in hw_atl_b0_hw_ring_tx_head_update(). Credit largely goes to Chrome OS Fuzzing team members: Aashay Shringarpure, Yi Chou, Shervin Oloumi cheers, grant
Powered by blists - more mailing lists