| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Nov 2023 03:16:30 +0000
From: Subbaraya Sundeep Bhatta <sbhatta@...vell.com>
To: Elena Salomatkina <elena.salomatkina.cmc@...il.com>,
Sunil Kovvuri Goutham
<sgoutham@...vell.com>
CC: Linu Cherian <lcherian@...vell.com>,
Geethasowjanya Akula
<gakula@...vell.com>,
Jerin Jacob Kollanukkaran <jerinj@...vell.com>,
Hariprasad Kelam <hkelam@...vell.com>,
"David S. Miller"
<davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski
<kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
"netdev@...r.kernel.org"
<netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>,
"lvc-project@...uxtesting.org"
<lvc-project@...uxtesting.org>,
Simon Horman <horms@...nel.org>
Subject: RE: [EXT] [PATCH net] octeontx2-af: Fix possible buffer overflow
Hi,
>-----Original Message-----
>From: Elena Salomatkina <elena.salomatkina.cmc@...il.com>
>Sent: Saturday, November 25, 2023 2:38 AM
>To: Sunil Kovvuri Goutham <sgoutham@...vell.com>
>Cc: Elena Salomatkina <elena.salomatkina.cmc@...il.com>; Linu Cherian
><lcherian@...vell.com>; Geethasowjanya Akula <gakula@...vell.com>;
>Jerin Jacob Kollanukkaran <jerinj@...vell.com>; Hariprasad Kelam
><hkelam@...vell.com>; Subbaraya Sundeep Bhatta <sbhatta@...vell.com>;
>David S. Miller <davem@...emloft.net>; Eric Dumazet
><edumazet@...gle.com>; Jakub Kicinski <kuba@...nel.org>; Paolo Abeni
><pabeni@...hat.com>; netdev@...r.kernel.org; linux-
>kernel@...r.kernel.org; lvc-project@...uxtesting.org; Simon Horman
><horms@...nel.org>
>Subject: [EXT] [PATCH net] octeontx2-af: Fix possible buffer overflow
>
>----------------------------------------------------------------------
>A loop in rvu_mbox_handler_nix_bandprof_free() contains a break if (idx ==
>MAX_BANDPROF_PER_PFFUNC), but if idx may reach
>MAX_BANDPROF_PER_PFFUNC buffer '(*req->prof_idx)[layer]' overflow
>happens before that check.
>
>The patch moves the break to the
>beginning of the loop.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
>Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config
>support").
>Signed-off-by: Elena Salomatkina <elena.salomatkina.cmc@...il.com>
>Reviewed-by: Simon Horman <horms@...nel.org>
Reviewed-by: Subbaraya Sundeep <sbhatta@...vell.com>
Thanks,
Sundeep
>---
> drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>index 23c2f2ed2fb8..c112c71ff576 100644
>--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
>@@ -5505,6 +5505,8 @@ int rvu_mbox_handler_nix_bandprof_free(struct
>rvu *rvu,
>
> ipolicer = &nix_hw->ipolicer[layer];
> for (idx = 0; idx < req->prof_count[layer]; idx++) {
>+ if (idx == MAX_BANDPROF_PER_PFFUNC)
>+ break;
> prof_idx = req->prof_idx[layer][idx];
> if (prof_idx >= ipolicer->band_prof.max ||
> ipolicer->pfvf_map[prof_idx] != pcifunc) @@ -
>5518,8 +5520,6 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu
>*rvu,
> ipolicer->pfvf_map[prof_idx] = 0x00;
> ipolicer->match_id[prof_idx] = 0;
> rvu_free_rsrc(&ipolicer->band_prof, prof_idx);
>- if (idx == MAX_BANDPROF_PER_PFFUNC)
>- break;
> }
> }
> mutex_unlock(&rvu->rsrc_lock);
>--
>2.34.1
Powered by blists - more mailing lists