lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZrC6jpghA3PWVWSB@gmail.com>
Date: Mon, 5 Aug 2024 04:42:06 -0700
From: Breno Leitao <leitao@...ian.org>
To: Jakub Kicinski <kuba@...nel.org>, michael.chan@...adcom.com,
	pavan.chebbi@...adcom.com
Cc: davem@...emloft.net, netdev@...r.kernel.org, edumazet@...gle.com,
	pabeni@...hat.com, michael.chan@...adcom.com,
	pavan.chebbi@...adcom.com, kalesh-anakkur.purayil@...adcom.com
Subject: Re: [PATCH net] bnxt: fix crashes when reducing ring count with
 active RSS contexts

Hello,

On Thu, Jul 04, 2024 at 07:00:05PM -0700, Jakub Kicinski wrote:
> bnxt doesn't check if a ring is used by RSS contexts when reducing
> ring count. Core performs a similar check for the drivers for
> the main context, but core doesn't know about additional contexts,
> so it can't validate them. bnxt_fill_hw_rss_tbl_p5() uses ring
> id to index bp->rx_ring, which without the check may end up
> being out of bounds.
> 
>   BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40
>   Read of size 2 at addr ffff8881c5809618 by task ethtool/31525
>   Call Trace:
>   __bnxt_hwrm_vnic_set_rss+0xb79/0xe40
>    bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460
>    __bnxt_setup_vnic_p5+0x12e/0x270
>    __bnxt_open_nic+0x2262/0x2f30
>    bnxt_open_nic+0x5d/0xf0
>    ethnl_set_channels+0x5d4/0xb30
>    ethnl_default_set_doit+0x2f1/0x620

I have this patch applied to my tree, and I am still finding a very
similar KASAN report in the last net-next/main tree - commit
3608d6aca5e793958462e6e01a8cdb6c6e8088d0 ("Merge branch 'dsa-en7581'
into main")

Skimmer over the code, In bnxt_fill_hw_rss_tbl(), bp->rss_indir_tbl[i]
returns 8, but, vnic->fw_grp_id size is 8, thus, it tries to access over
the last element (7).

Somehow bp->rss_indir_tbl[i] goes beynd rx_nr_rings.

--breno


	 ==================================================================
	 BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss (drivers/net/ethernet/broadcom/bnxt/bnxt.c:6307 drivers/net/ethernet/broadcom/bnxt/bnxt.c:6347)
	 Read of size 2 at addr ffff88812c518f90 by task (udev-worker)/794

	 Call Trace:
	  <TASK>
	 dump_stack_lvl (lib/dump_stack.c:122)
	 print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
	 ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 ./include/linux/rcupdate.h:953 ./include/linux/mmzone.h:2034 arch/x86/mm/physaddr.c:65)
	 ? __bnxt_hwrm_vnic_set_rss (drivers/net/ethernet/broadcom/bnxt/bnxt.c:6307 drivers/net/ethernet/broadcom/bnxt/bnxt.c:6347)
	 kasan_report (mm/kasan/report.c:603)
	 ? __bnxt_hwrm_vnic_set_rss (drivers/net/ethernet/broadcom/bnxt/bnxt.c:6307 drivers/net/ethernet/broadcom/bnxt/bnxt.c:6347)
	 __bnxt_hwrm_vnic_set_rss (drivers/net/ethernet/broadcom/bnxt/bnxt.c:6307 drivers/net/ethernet/broadcom/bnxt/bnxt.c:6347)
	 ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
	 bnxt_hwrm_vnic_set_rss.part.0 (drivers/net/ethernet/broadcom/bnxt/bnxt.c:6379)
	 ? __bnxt_hwrm_vnic_set_rss (drivers/net/ethernet/broadcom/bnxt/bnxt.c:6364)
	 ? __bnxt_setup_vnic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:6624)
	 __bnxt_setup_vnic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:10073)
	 bnxt_init_nic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:10144 drivers/net/ethernet/broadcom/bnxt/bnxt.c:10336 drivers/net/ethernet/broadcom/bnxt/bnxt.c:10432)
	 ? bnxt_alloc_and_setup_vnic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:10425)
	 ? __irq_apply_affinity_hint (kernel/irq/manage.c:471 kernel/irq/manage.c:516)
	 ? irq_set_affinity_locked (kernel/irq/manage.c:507)
	 ? alloc_cpumask_var_node (lib/cpumask.c:62)
	 __bnxt_open_nic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:12103)
	 ? __netdev_update_features (net/core/dev.c:10116)
	 ? bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:12064)
	 ? __bnxt_close_nic.constprop.0 (drivers/net/ethernet/broadcom/bnxt/bnxt.c:10918 drivers/net/ethernet/broadcom/bnxt/bnxt.c:12323)
	 ? bnxt_set_channels (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/netdevice.h:3588 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c:1003)
	 bnxt_open_nic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:12179)
	 ethtool_set_channels (net/ethtool/ioctl.c:2117)
	 ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4995)
	 ? ethtool_set_settings (net/ethtool/ioctl.c:2065)
	 ? security_capable (security/security.c:1036 (discriminator 13))
	 __dev_ethtool (net/ethtool/ioctl.c:3275)
	 ? unwind_next_frame (arch/x86/kernel/unwind_orc.c:673)
	 ? arch_stack_walk (arch/x86/kernel/stacktrace.c:24)
	 ? ethtool_get_module_info_call (net/ethtool/ioctl.c:3044)
	 ? __lock_acquire (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:227 kernel/locking/lockdep.c:3780 kernel/locking/lockdep.c:3836 kernel/locking/lockdep.c:5142)
	 ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4995)
	 ? stack_trace_save (kernel/stacktrace.c:123)
	 ? lock_acquire (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5761 kernel/locking/lockdep.c:5724)
	 ? lock_sync (kernel/locking/lockdep.c:5727)
	 ? __kasan_kmalloc (mm/kasan/common.c:391)
	 ? dev_ethtool (net/ethtool/ioctl.c:3351)
	 ? dev_ioctl (net/core/dev_ioctl.c:721)
	 ? sock_ioctl (net/socket.c:1344)
	 ? rcu_is_watching (./include/linux/context_tracking.h:122 kernel/rcu/tree.c:726)
	 ? trace_contention_end (./include/trace/events/lock.h:122 (discriminator 52))
	 ? __mutex_lock (./arch/x86/include/asm/preempt.h:103 kernel/locking/mutex.c:618 kernel/locking/mutex.c:752)
	 ? lock_downgrade (kernel/locking/lockdep.c:5767)
	 ? dev_ethtool (net/ethtool/ioctl.c:3365)
	 ? sock_do_ioctl (net/socket.c:1237)
	 ? mutex_lock_io_nested (kernel/locking/mutex.c:751)
	 ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
	 ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
	 ? rcu_is_watching (./include/linux/context_tracking.h:122 kernel/rcu/tree.c:726)
	 ? trace_kmalloc (./include/trace/events/kmem.h:54 (discriminator 52))
	 ? __kmalloc_cache_noprof (./include/linux/kasan.h:211 mm/slub.c:4189)
	 dev_ethtool (net/ethtool/ioctl.c:3365)
	 ? __dev_ethtool (net/ethtool/ioctl.c:3342)
	 dev_ioctl (net/core/dev_ioctl.c:721)
	 sock_do_ioctl (net/socket.c:1237)
	 ? put_user_ifreq (net/socket.c:1214)
	 ? find_held_lock (kernel/locking/lockdep.c:5249)
	 sock_ioctl (net/socket.c:1344)
	 ? br_ioctl_call (net/socket.c:1250)
	 ? seccomp_notify_ioctl (kernel/seccomp.c:1218)
	 ? ktime_get_coarse_real_ts64 (./include/linux/seqlock.h:74 kernel/time/timekeeping.c:2390)
	 ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4420)
	 __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893)
	 do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
	 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
	 RIP: 0033:0x7fab3150357b
	 Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 75 68 0f 00 f7 d8 64 89 01 48
	All code
	========
	   0:   ff                      (bad)
	   1:   ff                      (bad)
	   2:   ff 85 c0 79 9b 49       incl   0x499b79c0(%rbp)
	   8:   c7 c4 ff ff ff ff       mov    $0xffffffff,%esp
	   e:   5b                      pop    %rbx
	   f:   5d                      pop    %rbp
	  10:   4c 89 e0                mov    %r12,%rax
	  13:   41 5c                   pop    %r12
	  15:   c3                      ret
	  16:   66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
	  1d:   00 00
	  1f:   f3 0f 1e fa             endbr64
	  23:   b8 10 00 00 00          mov    $0x10,%eax
	  28:   0f 05                   syscall
	  2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax         <-- trapping instruction
	  30:   73 01                   jae    0x33
	  32:   c3                      ret
	  33:   48 8b 0d 75 68 0f 00    mov    0xf6875(%rip),%rcx        # 0xf68af
	  3a:   f7 d8                   neg    %eax
	  3c:   64 89 01                mov    %eax,%fs:(%rcx)
	  3f:   48                      rex.W

	Code starting with the faulting instruction
	===========================================
	   0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
	   6:   73 01                   jae    0x9
	   8:   c3                      ret
	   9:   48 8b 0d 75 68 0f 00    mov    0xf6875(%rip),%rcx        # 0xf6885
	  10:   f7 d8                   neg    %eax
	  12:   64 89 01                mov    %eax,%fs:(%rcx)
	  15:   48                      rex.W
	 RSP: 002b:00007ffe53677a28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	 RAX: ffffffffffffffda RBX: 000055b5a1868cd8 RCX: 00007fab3150357b
	 RDX: 00007ffe53677a60 RSI: 0000000000008946 RDI: 000000000000001f
	 RBP: 00007ffe53677ab0 R08: 0000000000000000 R09: 0000000000000000
	 R10: 000055b5a18c9110 R11: 0000000000000246 R12: 000055b5a18c0ca0
	 R13: 000055b5a1866d18 R14: 00007ffe53677a60 R15: 000055b5a18becb0
	  </TASK>

	 Allocated by task 794:
	 kasan_save_stack (mm/kasan/common.c:48)
	 kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
	 __kasan_kmalloc (mm/kasan/common.c:391)
	 __kmalloc_noprof (mm/slub.c:4159 mm/slub.c:4170)
	 bnxt_alloc_mem (drivers/net/ethernet/broadcom/bnxt/bnxt.c:4696 drivers/net/ethernet/broadcom/bnxt/bnxt.c:5323)
	 __bnxt_open_nic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:12088)
	 bnxt_open_nic (drivers/net/ethernet/broadcom/bnxt/bnxt.c:12179)
	 ethtool_set_channels (net/ethtool/ioctl.c:2117)
	 __dev_ethtool (net/ethtool/ioctl.c:3275)
	 dev_ethtool (net/ethtool/ioctl.c:3365)
	 dev_ioctl (net/core/dev_ioctl.c:721)
	 sock_do_ioctl (net/socket.c:1237)
	 sock_ioctl (net/socket.c:1344)
	 __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893)
	 do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
	 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

	 The buggy address belongs to the object at ffff88812c518f80
	which belongs to the cache kmalloc-16 of size 16
	 The buggy address is located 0 bytes to the right of
	allocated 16-byte region [ffff88812c518f80, ffff88812c518f90)

	 The buggy address belongs to the physical page:
	 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c518
	 anon flags: 0x5ffff0000000000(node=0|zone=2|lastcpupid=0x1ffff)
	 page_type: 0xfdffffff(slab)
	 raw: 05ffff0000000000 ffff88810004c640 0000000000000000 0000000000000001
	 raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000
	 page dumped because: kasan: bad access detected

	 Memory state around the buggy address:
	  ffff88812c518e80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
	  ffff88812c518f00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
	 >ffff88812c518f80: 00 00 fc fc 00 00 fc fc 00 01 fc fc fa fb fc fc
				  ^
	  ffff88812c519000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  ffff88812c519080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	 ==================================================================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ