lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Nov 2023 03:16:30 +0000
From: Subbaraya Sundeep Bhatta <sbhatta@...vell.com>
To: Elena Salomatkina <elena.salomatkina.cmc@...il.com>,
        Sunil Kovvuri Goutham
	<sgoutham@...vell.com>
CC: Linu Cherian <lcherian@...vell.com>,
        Geethasowjanya Akula
	<gakula@...vell.com>,
        Jerin Jacob Kollanukkaran <jerinj@...vell.com>,
        Hariprasad Kelam <hkelam@...vell.com>,
        "David S. Miller"
	<davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski
	<kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>,
        "lvc-project@...uxtesting.org"
	<lvc-project@...uxtesting.org>,
        Simon Horman <horms@...nel.org>
Subject: RE: [EXT] [PATCH net] octeontx2-af: Fix possible buffer overflow

Hi,

>-----Original Message-----
>From: Elena Salomatkina <elena.salomatkina.cmc@...il.com>
>Sent: Saturday, November 25, 2023 2:38 AM
>To: Sunil Kovvuri Goutham <sgoutham@...vell.com>
>Cc: Elena Salomatkina <elena.salomatkina.cmc@...il.com>; Linu Cherian
><lcherian@...vell.com>; Geethasowjanya Akula <gakula@...vell.com>;
>Jerin Jacob Kollanukkaran <jerinj@...vell.com>; Hariprasad Kelam
><hkelam@...vell.com>; Subbaraya Sundeep Bhatta <sbhatta@...vell.com>;
>David S. Miller <davem@...emloft.net>; Eric Dumazet
><edumazet@...gle.com>; Jakub Kicinski <kuba@...nel.org>; Paolo Abeni
><pabeni@...hat.com>; netdev@...r.kernel.org; linux-
>kernel@...r.kernel.org; lvc-project@...uxtesting.org; Simon Horman
><horms@...nel.org>
>Subject: [EXT] [PATCH net] octeontx2-af: Fix possible buffer overflow
>
>----------------------------------------------------------------------
>A loop in rvu_mbox_handler_nix_bandprof_free() contains a break if (idx ==
>MAX_BANDPROF_PER_PFFUNC), but if idx may reach
>MAX_BANDPROF_PER_PFFUNC buffer '(*req->prof_idx)[layer]' overflow
>happens before that check.
>
>The patch moves the break to the
>beginning of the loop.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
>Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config
>support").
>Signed-off-by: Elena Salomatkina <elena.salomatkina.cmc@...il.com>
>Reviewed-by: Simon Horman <horms@...nel.org>

Reviewed-by: Subbaraya Sundeep <sbhatta@...vell.com>

Thanks,
Sundeep

>---
> drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>index 23c2f2ed2fb8..c112c71ff576 100644
>--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>@@ -5505,6 +5505,8 @@ int rvu_mbox_handler_nix_bandprof_free(struct
>rvu *rvu,
>
> 		ipolicer = &nix_hw->ipolicer[layer];
> 		for (idx = 0; idx < req->prof_count[layer]; idx++) {
>+			if (idx == MAX_BANDPROF_PER_PFFUNC)
>+				break;
> 			prof_idx = req->prof_idx[layer][idx];
> 			if (prof_idx >= ipolicer->band_prof.max ||
> 			    ipolicer->pfvf_map[prof_idx] != pcifunc) @@ -
>5518,8 +5520,6 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu
>*rvu,
> 			ipolicer->pfvf_map[prof_idx] = 0x00;
> 			ipolicer->match_id[prof_idx] = 0;
> 			rvu_free_rsrc(&ipolicer->band_prof, prof_idx);
>-			if (idx == MAX_BANDPROF_PER_PFFUNC)
>-				break;
> 		}
> 	}
> 	mutex_unlock(&rvu->rsrc_lock);
>--
>2.34.1


Powered by blists - more mailing lists