| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Jul 2022 19:34:58 -0700
From: Florian Fainelli <f.fainelli@...il.com>
To: Stephen Hemminger <stephen@...workplumber.org>,
Giuseppe Cavallaro <peppe.cavallaro@...com>,
Alexandre Torgue <alexandre.torgue@...s.st.com>,
Jose Abreu <joabreu@...opsys.com>,
"Ling, Pei Lee" <pei.lee.ling@...el.com>,
Voon Weifeng <weifeng.voon@...el.com>,
Wong Vee Khee <vee.khee.wong@...ux.intel.com>,
Mohammad Athari Bin Ismail <mohammad.athari.ismail@...el.com>,
Joao.Pinto@...opsys.com
Cc: netdev@...r.kernel.org
Subject: Re: Fw: [Bug 216195] New: Maxlinear GPY115 UBSAN: shift-out-of-bounds
+Intel folks, Joao,
On 7/1/2022 4:45 PM, Stephen Hemminger wrote:
>
>
> Begin forwarded message:
>
> Date: Fri, 01 Jul 2022 08:26:11 +0000
> From: bugzilla-daemon@...nel.org
> To: stephen@...workplumber.org
> Subject: [Bug 216195] New: Maxlinear GPY115 UBSAN: shift-out-of-bounds
>
>
> https://bugzilla.kernel.org/show_bug.cgi?id=216195
>
> Bug ID: 216195
> Summary: Maxlinear GPY115 UBSAN: shift-out-of-bounds
> Product: Networking
> Version: 2.5
> Kernel Version: 5.15-5.17
> Hardware: Intel
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> Assignee: stephen@...workplumber.org
> Reporter: cedric@...espeed.nl
> Regression: No
>
> This is related to specific (wired) Ethernet IC: Maxlinear Ethernet GPY115B
> The network interface does show up in ifconfig but is not functioning, no
> ip-address is assigned.
>
> During the bootup process I get the following warning:
>
> UBSAN: shift-out-of-bounds in
> /build/linux-WLUive/linux-
> 5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
> Shift exponent 40 is too large for 32-bit type 'unsigned int'
>
> This results in the following error:
>
> Maxlinear Ethernet GPY115B stmmac-3:01: gpy_config_aneg failed -110
>
> The specific kernel I am running: 5.15.0-40-generic on Ubuntu but also tested
> this with Fedora Server 36 running kernel 5.17.
> Config: CONFIG_MAXLINEAR_GPHY=m
> The module is installed here:
> /usr/lib/modules/5.15.0-generic/kernel/drivers/net/phy/mxl-gpy.ko
>
> Additional information:
> https://askubuntu.com/questions/1416068/how-to-enable-maxlinear-phy-gpy115-drivers
>
> Datasheet:
> https://www.maxlinear.com/product/connectivity/wired/ethernet/ethernet-transceivers-phy/gpy115
>
I do not know how or if the undefined behavior relates to the Ethernet
PHY driver reporting a -ETIMEDOUT during auto-negotiation however the
undefined behavior looks legit to me. Line 224 is:
value |= MTL_RXQ_DMA_QXMDMACH(chan, queue);
with:
#define MTL_RXQ_DMA_QXMDMACH(chan, q) ((chan) << (8 * (q)))
So for the shift to exceed 32-bits we would need q to be >=4, or q = 3
and chan >= 256, more on that below. The report does not indicate which
platform is used but googling around shows this askubuntu bug report
from the same person:
https://askubuntu.com/questions/1416068/how-to-enable-maxlinear-phy-gpy115-drivers
and indicates that the platform is an Onlogic HX310 which is Intel
Elkhart SoC. This means that dwmac-intel.c is likely the glue driver
being used for registration and there we have several paths through
which plat->rx_queues_to_use is used as an iterator to initialize
plat->rx_queues_cfg[i].chan = i.
Given there can be 1, 6 or 8 RX queues according to that file, then the
latter 2 combinations will trigger undefined behaviors by shifting too
much to the left.
Not having access to the DMWAC4 datasheet however I do not know how to
fix it.
Fixes tag for that bug would be:
Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel")
--
Florian
Powered by blists - more mailing lists