lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 5 Dec 2022 21:42:50 +0300
From:   Dan Carpenter <error27@...il.com>
To:     Leon Romanovsky <leon@...nel.org>
Cc:     Thomas Petazzoni <thomas.petazzoni@...tlin.com>,
        Gregory CLEMENT <gregory.clement@...tlin.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH net] net: mvneta: Prevent out of bounds read in
 mvneta_config_rss()

On Mon, Dec 05, 2022 at 07:44:12PM +0200, Leon Romanovsky wrote:
> On Mon, Dec 05, 2022 at 12:03:46PM +0300, Dan Carpenter wrote:
> > On Sun, Dec 04, 2022 at 02:47:13PM +0200, Leon Romanovsky wrote:
> > > On Fri, Dec 02, 2022 at 12:58:26PM +0300, Dan Carpenter wrote:
> > > > The pp->indir[0] value comes from the user.  It is passed to:
> > > > 
> > > > 	if (cpu_online(pp->rxq_def))
> > > > 
> > > > inside the mvneta_percpu_elect() function.  It needs bounds checkeding
> > > > to ensure that it is not beyond the end of the cpu bitmap.
> > > > 
> > > > Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
> > > > Signed-off-by: Dan Carpenter <error27@...il.com>
> > > > ---
> > > >  drivers/net/ethernet/marvell/mvneta.c | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > 
> > > I would expect that ethtool_copy_validate_indir() will prevent this.
> > > 
> > 
> > Huh...  Sort of, but in the strictest sense, no.  mvneta_ethtool_get_rxnfc()
> > sets the cap at 8 by default or an unvalidated module parameter.
> 
> And is this solely mvnet issue? Do other drivers safe for this input?
> 

I believe so, yes.  However thinking about it now maybe a better fix
would be to go back to the original way of using pp->rxq_def % nr_cpu_ids.
(Originally it used num_online_cpus() instead of nr_cpu_ids but I think
nr_cpu_ids is correct).  I will send this patch tomorrow.

In this code, if you hit the out of bounds then you kind of deserve it,
but there are probably a lot of people who probably have fewer than 8
cores and in that case the bug results in a WARN().

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ