lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250819174748.7d5869d3@kernel.org>
Date: Tue, 19 Aug 2025 17:47:48 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Jamie Bainbridge <jamie.bainbridge@...il.com>
Cc: Manish Chopra <manishc@...vell.com>, Andrew Lunn
 <andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>, Eric
 Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Ariel Elior
 <Ariel.Elior@...ium.com>, Michal Kalderon <Michal.Kalderon@...ium.com>,
 Manish Rangankar <manish.rangankar@...ium.com>, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] qed: Don't write past the end of GRC debug buffer

On Fri, 15 Aug 2025 14:17:25 +1000 Jamie Bainbridge wrote:
> In the GRC dump path, "len" count of dword-sized registers are read into
> the previously-allocated GRC dump buffer.

How did you find the issue? Did you happen to have a stack trace?
It'd be great to know the call trace cause the code is hard to make
sense of.

> However, the amount of data written into the GRC dump buffer is never
> checked against the length of the dump buffer. This can result in
> writing past the end of the dump buffer's kmalloc and a kernel panic.

I could be misreading but it sounds to me like you're trying to protect
against overflow on dump_buf, while the code is protecting against going
over the "feature" buf_size.

> Resolve this by clamping the amount of data written to the length of the
> dump buffer, avoiding the out-of-bounds memory access and panic.
> 
> Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0")
> Signed-off-by: Jamie Bainbridge <jamie.bainbridge@...il.com>
> ---
>  drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
> index 9c3d3dd2f84753100d3c639505677bd53e3ca543..2e88fd79a02e220fc05caa8c27bb7d41b4b37c0d 100644
> --- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
> +++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
> @@ -2085,6 +2085,13 @@ static u32 qed_grc_dump_addr_range(struct qed_hwfn *p_hwfn,
>  		dev_data->pretend.split_id = split_id;
>  	}
>  
> +	/* Ensure we don't write past the end of the GRC buffer */
> +	u32 buf_size_bytes = p_hwfn->cdev->dbg_features[DBG_FEATURE_GRC].buf_size;
> +	u32 len_bytes = len * sizeof(u32);

Please don't mix code with variable declarations.

> +	if (len_bytes > buf_size_bytes)
> +		len = buf_size_bytes / sizeof(u32);

The way it's written it seems to be protecting from buffer being too
big for the feature. In which case you must take addr into account
and make sure dump_buf was zeroed.
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ