| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAvyFNjo4hC6_L=xdMgz1CvzpHa1Jr0JMuH7xx1WfTs9+f8f3g@mail.gmail.com>
Date: Wed, 20 Aug 2025 14:37:08 +1000
From: Jamie Bainbridge <jamie.bainbridge@...il.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Manish Chopra <manishc@...vell.com>, Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Ariel Elior <Ariel.Elior@...ium.com>,
Michal Kalderon <Michal.Kalderon@...ium.com>, Manish Rangankar <manish.rangankar@...ium.com>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] qed: Don't write past the end of GRC debug buffer
On Wed, 20 Aug 2025 at 10:47, Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Fri, 15 Aug 2025 14:17:25 +1000 Jamie Bainbridge wrote:
> > In the GRC dump path, "len" count of dword-sized registers are read into
> > the previously-allocated GRC dump buffer.
>
> How did you find the issue? Did you happen to have a stack trace?
> It'd be great to know the call trace cause the code is hard to make
> sense of.
We have a customer vmcore and a private Jira Issue with Marvell.
I can submit a v2 with a panic backtrace. However...
> > However, the amount of data written into the GRC dump buffer is never
> > checked against the length of the dump buffer. This can result in
> > writing past the end of the dump buffer's kmalloc and a kernel panic.
>
> I could be misreading but it sounds to me like you're trying to protect
> against overflow on dump_buf, while the code is protecting against going
> over the "feature" buf_size.
I double-checked based on your comment and I have selected the wrong
buffer in the array.
Like you said, it's not easy to follow.
I will resubmit this if possible.
Please disregard this patch for now. Sorry for the bother and thank
you for your review!
Jamie
> > Resolve this by clamping the amount of data written to the length of the
> > dump buffer, avoiding the out-of-bounds memory access and panic.
> >
> > Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0")
> > Signed-off-by: Jamie Bainbridge <jamie.bainbridge@...il.com>
> > ---
> > drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
> > index 9c3d3dd2f84753100d3c639505677bd53e3ca543..2e88fd79a02e220fc05caa8c27bb7d41b4b37c0d 100644
> > --- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
> > +++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
> > @@ -2085,6 +2085,13 @@ static u32 qed_grc_dump_addr_range(struct qed_hwfn *p_hwfn,
> > dev_data->pretend.split_id = split_id;
> > }
> >
> > + /* Ensure we don't write past the end of the GRC buffer */
> > + u32 buf_size_bytes = p_hwfn->cdev->dbg_features[DBG_FEATURE_GRC].buf_size;
> > + u32 len_bytes = len * sizeof(u32);
>
> Please don't mix code with variable declarations.
>
> > + if (len_bytes > buf_size_bytes)
> > + len = buf_size_bytes / sizeof(u32);
>
> The way it's written it seems to be protecting from buffer being too
> big for the feature. In which case you must take addr into account
> and make sure dump_buf was zeroed.
> --
> pw-bot: cr
Powered by blists - more mailing lists