| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241213120414.GS2110@kernel.org> Date: Fri, 13 Dec 2024 12:04:14 +0000 From: Simon Horman <horms@...nel.org> To: Alejandro Lucero Palau <alucerop@....com> Cc: alejandro.lucero-palau@....com, linux-cxl@...r.kernel.org, netdev@...r.kernel.org, dan.j.williams@...el.com, martin.habets@...inx.com, edward.cree@....com, davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com, dave.jiang@...el.com Subject: Re: [PATCH v7 28/28] sfc: support pio mapping based on cxl On Fri, Dec 13, 2024 at 11:45:41AM +0000, Alejandro Lucero Palau wrote: > > On 12/13/24 10:24, Simon Horman wrote: > > On Fri, Dec 13, 2024 at 10:20:30AM +0000, Alejandro Lucero Palau wrote: > > > On 12/12/24 21:22, Simon Horman wrote: > > > > On Mon, Dec 09, 2024 at 06:54:29PM +0000, alejandro.lucero-palau@....com wrote: > > > > > From: Alejandro Lucero <alucerop@....com> > > > > > > > > > > With a device supporting CXL and successfully initialised, use the cxl > > > > > region to map the memory range and use this mapping for PIO buffers. > > > > > > > > > > Signed-off-by: Alejandro Lucero <alucerop@....com> > > > > > --- > > > > > drivers/net/ethernet/sfc/ef10.c | 48 +++++++++++++++++++++++---- > > > > > drivers/net/ethernet/sfc/efx_cxl.c | 19 ++++++++++- > > > > > drivers/net/ethernet/sfc/net_driver.h | 2 ++ > > > > > drivers/net/ethernet/sfc/nic.h | 3 ++ > > > > > 4 files changed, 65 insertions(+), 7 deletions(-) > > > > > > > > > > diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c > > > > > index 452009ed7a43..4587ca884c03 100644 > > > > > --- a/drivers/net/ethernet/sfc/ef10.c > > > > > +++ b/drivers/net/ethernet/sfc/ef10.c > > > > > @@ -24,6 +24,7 @@ > > > > > #include <linux/wait.h> > > > > > #include <linux/workqueue.h> > > > > > #include <net/udp_tunnel.h> > > > > > +#include "efx_cxl.h" > > > > > /* Hardware control for EF10 architecture including 'Huntington'. */ > > > > > @@ -177,6 +178,12 @@ static int efx_ef10_init_datapath_caps(struct efx_nic *efx) > > > > > efx->num_mac_stats); > > > > > } > > > > Hi Alejandro, > > > > > > > > Earlier in efx_ef10_init_datapath_caps, outbuf is declared using: > > > > > > > > MCDI_DECLARE_BUF(outbuf, MC_CMD_GET_CAPABILITIES_V4_OUT_LEN); > > > > > > > > This will result in the following declaration: > > > > > > > > efx_dword_t _name[DIV_ROUND_UP(MC_CMD_GET_CAPABILITIES_V4_OUT_LEN, 4)] > > > > > > > > Where MC_CMD_GET_CAPABILITIES_V4_OUT_LEN is defined as 78. > > > > So outbuf will be an array with DIV_ROUND_UP(78, 4) == 20 elements. > > > > > > > > > + if (outlen < MC_CMD_GET_CAPABILITIES_V7_OUT_LEN) > > > > > + nic_data->datapath_caps3 = 0; > > > > > + else > > > > > + nic_data->datapath_caps3 = MCDI_DWORD(outbuf, > > > > > + GET_CAPABILITIES_V7_OUT_FLAGS3); > > > > > + > > > > > return 0; > > > > > } > > > > MC_CMD_GET_CAPABILITIES_V7_OUT_FLAGS3_OFST is defined as 148. > > > > And the above will result in an access to element 148 / 4 == 37 of > > > > outbuf. A buffer overflow. > > > > > > Hi Simon, > > > > > > > > > This is, obviously, quite serious, although being the first and only flag in > > > that MCDI extension explains why has gone hidden and harmless (as it is a > > > read). > > > > > > > > > I'll definitely fix it. > > > > > > > > > Thanks! > > Likewise, thanks. > > > > Please to look at my analysis with a sceptical eye. > > It is my understanding based on looking at the code in > > the context of the compiler warnings. > > > > Yes, I need to confirm this, but it looks a problem. > > > BTW, I can not get the same warning/error with gcc 11.4. Just for being > sure, are you just compiling with make W=1 or applying some other gcc param > or kernel config option? Hi Alejandro, Sorry about the incomplete information. I checked and with gcc 14.2 -Warray-bounds is needed to for it to flag this problem. make EXTRA_CFLAGS="-Warray-bounds" ...
Powered by blists - more mailing lists