lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220418231746.2464800-6-grundler@chromium.org> Date: Mon, 18 Apr 2022 16:17:46 -0700 From: Grant Grundler <grundler@...omium.org> To: Igor Russkikh <irusskikh@...vell.com> Cc: Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, netdev <netdev@...r.kernel.org>, "David S . Miller" <davem@...emloft.net>, LKML <linux-kernel@...r.kernel.org>, Aashay Shringarpure <aashay@...gle.com>, Yi Chou <yich@...gle.com>, Shervin Oloumi <enlightened@...gle.com>, Grant Grundler <grundler@...omium.org> Subject: [PATCH 5/5] net: atlantic: verify hw_head_ is reasonable Bounds check hw_head index to verify it lies within the TX buffer ring. Unexpected values of hw_head may cause aq_ring_tx_clean to double dev_kfree_skb_any already cleaned parts of the ring. Reported-by: Aashay Shringarpure <aashay@...gle.com> Reported-by: Yi Chou <yich@...gle.com> Reported-by: Shervin Oloumi <enlightened@...gle.com> Signed-off-by: Grant Grundler <grundler@...omium.org> --- .../aquantia/atlantic/hw_atl/hw_atl_b0.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c index e72b9d86f6ad..9b6b93bb3e86 100644 --- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c @@ -889,6 +889,27 @@ int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self, err = -ENXIO; goto err_exit; } + + /* Validate that the new hw_head_ is reasonable. */ + if (hw_head_ >= ring->size) { + err = -ENXIO; + goto err_exit; + } + + if (ring->sw_head >= ring->sw_tail) { + /* Head index hasn't wrapped around to below tail index. */ + if (hw_head_ < ring->sw_head && hw_head_ >= ring->sw_tail) { + err = -ENXIO; + goto err_exit; + } + } else { + /* Head index has wrapped around and is below tail index. */ + if (hw_head_ < ring->sw_head || hw_head_ >= ring->sw_tail) { + err = -ENXIO; + goto err_exit; + } + } + ring->hw_head = hw_head_; err = aq_hw_err_from_flags(self); -- 2.36.0.rc0.470.gd361397f0d-goog
Powered by blists - more mailing lists