lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241213102439.GI2110@kernel.org>
Date: Fri, 13 Dec 2024 10:24:39 +0000
From: Simon Horman <horms@...nel.org>
To: Alejandro Lucero Palau <alucerop@....com>
Cc: alejandro.lucero-palau@....com, linux-cxl@...r.kernel.org,
	netdev@...r.kernel.org, dan.j.williams@...el.com,
	martin.habets@...inx.com, edward.cree@....com, davem@...emloft.net,
	kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com,
	dave.jiang@...el.com
Subject: Re: [PATCH v7 28/28] sfc: support pio mapping based on cxl

On Fri, Dec 13, 2024 at 10:20:30AM +0000, Alejandro Lucero Palau wrote:
> 
> On 12/12/24 21:22, Simon Horman wrote:
> > On Mon, Dec 09, 2024 at 06:54:29PM +0000, alejandro.lucero-palau@....com wrote:
> > > From: Alejandro Lucero <alucerop@....com>
> > > 
> > > With a device supporting CXL and successfully initialised, use the cxl
> > > region to map the memory range and use this mapping for PIO buffers.
> > > 
> > > Signed-off-by: Alejandro Lucero <alucerop@....com>
> > > ---
> > >   drivers/net/ethernet/sfc/ef10.c       | 48 +++++++++++++++++++++++----
> > >   drivers/net/ethernet/sfc/efx_cxl.c    | 19 ++++++++++-
> > >   drivers/net/ethernet/sfc/net_driver.h |  2 ++
> > >   drivers/net/ethernet/sfc/nic.h        |  3 ++
> > >   4 files changed, 65 insertions(+), 7 deletions(-)
> > > 
> > > diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
> > > index 452009ed7a43..4587ca884c03 100644
> > > --- a/drivers/net/ethernet/sfc/ef10.c
> > > +++ b/drivers/net/ethernet/sfc/ef10.c
> > > @@ -24,6 +24,7 @@
> > >   #include <linux/wait.h>
> > >   #include <linux/workqueue.h>
> > >   #include <net/udp_tunnel.h>
> > > +#include "efx_cxl.h"
> > >   /* Hardware control for EF10 architecture including 'Huntington'. */
> > > @@ -177,6 +178,12 @@ static int efx_ef10_init_datapath_caps(struct efx_nic *efx)
> > >   			  efx->num_mac_stats);
> > >   	}
> > Hi Alejandro,
> > 
> > Earlier in efx_ef10_init_datapath_caps, outbuf is declared using:
> > 
> > 	MCDI_DECLARE_BUF(outbuf, MC_CMD_GET_CAPABILITIES_V4_OUT_LEN);
> > 
> > This will result in the following declaration:
> > 
> > 	efx_dword_t _name[DIV_ROUND_UP(MC_CMD_GET_CAPABILITIES_V4_OUT_LEN, 4)]
> > 
> > Where MC_CMD_GET_CAPABILITIES_V4_OUT_LEN is defined as 78.
> > So outbuf will be an array with DIV_ROUND_UP(78, 4) == 20 elements.
> > 
> > > +	if (outlen < MC_CMD_GET_CAPABILITIES_V7_OUT_LEN)
> > > +		nic_data->datapath_caps3 = 0;
> > > +	else
> > > +		nic_data->datapath_caps3 = MCDI_DWORD(outbuf,
> > > +						      GET_CAPABILITIES_V7_OUT_FLAGS3);
> > > +
> > >   	return 0;
> > >   }
> > MC_CMD_GET_CAPABILITIES_V7_OUT_FLAGS3_OFST is defined as 148.
> > And the above will result in an access to element 148 / 4 == 37 of
> > outbuf. A buffer overflow.
> 
> 
> Hi Simon,
> 
> 
> This is, obviously, quite serious, although being the first and only flag in
> that MCDI extension explains why has gone hidden and harmless (as it is a
> read).
> 
> 
> I'll definitely fix it.
> 
> 
> Thanks!

Likewise, thanks.

Please to look at my analysis with a sceptical eye.
It is my understanding based on looking at the code in
the context of the compiler warnings.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ