lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 16 Apr 2023 10:46:07 +0300
From:   Alvaro Karsz <alvaro.karsz@...id-run.com>
To:     mst@...hat.com, jasowang@...hat.com
Cc:     davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, virtualization@...ts.linux-foundation.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        Alvaro Karsz <alvaro.karsz@...id-run.com>
Subject: [PATCH net] virtio-net: reject small vring sizes

Check vring size and fail probe if a transmit/receive vring size is
smaller than MAX_SKB_FRAGS + 2.

At the moment, any vring size is accepted. This is problematic because
it may result in attempting to transmit a packet with more fragments
than there are descriptors in the ring.

Furthermore, it leads to an immediate bug:

The condition: (sq->vq->num_free >= 2 + MAX_SKB_FRAGS) in
virtnet_poll_cleantx and virtnet_poll_tx always evaluates to false,
so netif_tx_wake_queue is not called, leading to TX timeouts.

Signed-off-by: Alvaro Karsz <alvaro.karsz@...id-run.com>
---
 drivers/net/virtio_net.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 2396c28c012..59676252c5c 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3745,6 +3745,26 @@ static int init_vqs(struct virtnet_info *vi)
 	return ret;
 }
 
+static int virtnet_validate_vqs(struct virtnet_info *vi)
+{
+	u32 i, min_size = roundup_pow_of_two(MAX_SKB_FRAGS + 2);
+
+	/* Transmit/Receive vring size must be at least MAX_SKB_FRAGS + 2
+	 * (fragments + linear part + virtio header)
+	 */
+	for (i = 0; i < vi->max_queue_pairs; i++) {
+		if (virtqueue_get_vring_size(vi->sq[i].vq) < min_size ||
+		    virtqueue_get_vring_size(vi->rq[i].vq) < min_size) {
+			dev_warn(&vi->vdev->dev,
+				 "Transmit/Receive virtqueue vring size must be at least %u\n",
+				 min_size);
+			return -EINVAL;
+		}
+	}
+
+	return 0;
+}
+
 #ifdef CONFIG_SYSFS
 static ssize_t mergeable_rx_buffer_size_show(struct netdev_rx_queue *queue,
 		char *buf)
@@ -4056,6 +4076,10 @@ static int virtnet_probe(struct virtio_device *vdev)
 	if (err)
 		goto free;
 
+	err = virtnet_validate_vqs(vi);
+	if (err)
+		goto free_vqs;
+
 #ifdef CONFIG_SYSFS
 	if (vi->mergeable_rx_bufs)
 		dev->sysfs_rx_queue_group = &virtio_net_mrg_rx_group;
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ