| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d816e960-eb12-4e19-5e47-c4980df924e8@amd.com> Date: Fri, 13 Dec 2024 11:45:41 +0000 From: Alejandro Lucero Palau <alucerop@....com> To: Simon Horman <horms@...nel.org> Cc: alejandro.lucero-palau@....com, linux-cxl@...r.kernel.org, netdev@...r.kernel.org, dan.j.williams@...el.com, martin.habets@...inx.com, edward.cree@....com, davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com, dave.jiang@...el.com Subject: Re: [PATCH v7 28/28] sfc: support pio mapping based on cxl On 12/13/24 10:24, Simon Horman wrote: > On Fri, Dec 13, 2024 at 10:20:30AM +0000, Alejandro Lucero Palau wrote: >> On 12/12/24 21:22, Simon Horman wrote: >>> On Mon, Dec 09, 2024 at 06:54:29PM +0000, alejandro.lucero-palau@....com wrote: >>>> From: Alejandro Lucero <alucerop@....com> >>>> >>>> With a device supporting CXL and successfully initialised, use the cxl >>>> region to map the memory range and use this mapping for PIO buffers. >>>> >>>> Signed-off-by: Alejandro Lucero <alucerop@....com> >>>> --- >>>> drivers/net/ethernet/sfc/ef10.c | 48 +++++++++++++++++++++++---- >>>> drivers/net/ethernet/sfc/efx_cxl.c | 19 ++++++++++- >>>> drivers/net/ethernet/sfc/net_driver.h | 2 ++ >>>> drivers/net/ethernet/sfc/nic.h | 3 ++ >>>> 4 files changed, 65 insertions(+), 7 deletions(-) >>>> >>>> diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c >>>> index 452009ed7a43..4587ca884c03 100644 >>>> --- a/drivers/net/ethernet/sfc/ef10.c >>>> +++ b/drivers/net/ethernet/sfc/ef10.c >>>> @@ -24,6 +24,7 @@ >>>> #include <linux/wait.h> >>>> #include <linux/workqueue.h> >>>> #include <net/udp_tunnel.h> >>>> +#include "efx_cxl.h" >>>> /* Hardware control for EF10 architecture including 'Huntington'. */ >>>> @@ -177,6 +178,12 @@ static int efx_ef10_init_datapath_caps(struct efx_nic *efx) >>>> efx->num_mac_stats); >>>> } >>> Hi Alejandro, >>> >>> Earlier in efx_ef10_init_datapath_caps, outbuf is declared using: >>> >>> MCDI_DECLARE_BUF(outbuf, MC_CMD_GET_CAPABILITIES_V4_OUT_LEN); >>> >>> This will result in the following declaration: >>> >>> efx_dword_t _name[DIV_ROUND_UP(MC_CMD_GET_CAPABILITIES_V4_OUT_LEN, 4)] >>> >>> Where MC_CMD_GET_CAPABILITIES_V4_OUT_LEN is defined as 78. >>> So outbuf will be an array with DIV_ROUND_UP(78, 4) == 20 elements. >>> >>>> + if (outlen < MC_CMD_GET_CAPABILITIES_V7_OUT_LEN) >>>> + nic_data->datapath_caps3 = 0; >>>> + else >>>> + nic_data->datapath_caps3 = MCDI_DWORD(outbuf, >>>> + GET_CAPABILITIES_V7_OUT_FLAGS3); >>>> + >>>> return 0; >>>> } >>> MC_CMD_GET_CAPABILITIES_V7_OUT_FLAGS3_OFST is defined as 148. >>> And the above will result in an access to element 148 / 4 == 37 of >>> outbuf. A buffer overflow. >> >> Hi Simon, >> >> >> This is, obviously, quite serious, although being the first and only flag in >> that MCDI extension explains why has gone hidden and harmless (as it is a >> read). >> >> >> I'll definitely fix it. >> >> >> Thanks! > Likewise, thanks. > > Please to look at my analysis with a sceptical eye. > It is my understanding based on looking at the code in > the context of the compiler warnings. > Yes, I need to confirm this, but it looks a problem. BTW, I can not get the same warning/error with gcc 11.4. Just for being sure, are you just compiling with make W=1 or applying some other gcc param or kernel config option?
Powered by blists - more mailing lists