| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220418231746.2464800-6-grundler@chromium.org>
Date: Mon, 18 Apr 2022 16:17:46 -0700
From: Grant Grundler <grundler@...omium.org>
To: Igor Russkikh <irusskikh@...vell.com>
Cc: Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
netdev <netdev@...r.kernel.org>,
"David S . Miller" <davem@...emloft.net>,
LKML <linux-kernel@...r.kernel.org>,
Aashay Shringarpure <aashay@...gle.com>,
Yi Chou <yich@...gle.com>,
Shervin Oloumi <enlightened@...gle.com>,
Grant Grundler <grundler@...omium.org>
Subject: [PATCH 5/5] net: atlantic: verify hw_head_ is reasonable
Bounds check hw_head index to verify it lies within the TX buffer ring.
Unexpected values of hw_head may cause aq_ring_tx_clean to double
dev_kfree_skb_any already cleaned parts of the ring.
Reported-by: Aashay Shringarpure <aashay@...gle.com>
Reported-by: Yi Chou <yich@...gle.com>
Reported-by: Shervin Oloumi <enlightened@...gle.com>
Signed-off-by: Grant Grundler <grundler@...omium.org>
---
.../aquantia/atlantic/hw_atl/hw_atl_b0.c | 21 +++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
index e72b9d86f6ad..9b6b93bb3e86 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
@@ -889,6 +889,27 @@ int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self,
err = -ENXIO;
goto err_exit;
}
+
+ /* Validate that the new hw_head_ is reasonable. */
+ if (hw_head_ >= ring->size) {
+ err = -ENXIO;
+ goto err_exit;
+ }
+
+ if (ring->sw_head >= ring->sw_tail) {
+ /* Head index hasn't wrapped around to below tail index. */
+ if (hw_head_ < ring->sw_head && hw_head_ >= ring->sw_tail) {
+ err = -ENXIO;
+ goto err_exit;
+ }
+ } else {
+ /* Head index has wrapped around and is below tail index. */
+ if (hw_head_ < ring->sw_head || hw_head_ >= ring->sw_tail) {
+ err = -ENXIO;
+ goto err_exit;
+ }
+ }
+
ring->hw_head = hw_head_;
err = aq_hw_err_from_flags(self);
--
2.36.0.rc0.470.gd361397f0d-goog
Powered by blists - more mailing lists