[PATCH] net: sfc: fix possible buffer overflow caused by bad DMA value in efx_siena_sriov_vfdi()

[PATCH] net: sfc: fix possible buffer overflow caused by bad DMA value in efx_siena_sriov_vfdi()

[Jia-Ju Bai]

In efx_siena_sriov_vfdi():
  req = vf->buf.addr;

Because "vf->buf.addr" is mapped to coherent DMA (allocated in
efx_nic_alloc_buffer()), "req" is also mapped to DMA.

Then "req->op" is accessed in this function:
  if (req->op < VFDI_OP_LIMIT && vfdi_ops[req->op] != NULL) {
    rc = vfdi_ops[req->op](vf);

Because "req" is mapped to DMA, its data can be modified at any time by
malicious or malfunctioning hardware. In this case, the check 
"if (req->op < VFDI_OP_LIMIT)" can be passed, and then "req->op" can be
modified to cause buffer overflow when the driver accesses
"vfdi_ops[req->op]".

To fix this problem, "req->op" is assigned to a local variable, and then
the driver accesses this variable instead of "req->op".

Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
---
 drivers/net/ethernet/sfc/siena_sriov.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/sfc/siena_sriov.c b/drivers/net/ethernet/sfc/siena_sriov.c
index 83dcfcae3d4b..21a8482cbb3b 100644
--- a/drivers/net/ethernet/sfc/siena_sriov.c
+++ b/drivers/net/ethernet/sfc/siena_sriov.c
@@ -875,6 +875,7 @@ static void efx_siena_sriov_vfdi(struct work_struct *work)
 	struct vfdi_req *req = vf->buf.addr;
 	struct efx_memcpy_req copy[2];
 	int rc;
+	u32 op = req->op;
 
 	/* Copy this page into the local address space */
 	memset(copy, '\0', sizeof(copy));
@@ -894,17 +895,17 @@ static void efx_siena_sriov_vfdi(struct work_struct *work)
 		return;
 	}
 
-	if (req->op < VFDI_OP_LIMIT && vfdi_ops[req->op] != NULL) {
-		rc = vfdi_ops[req->op](vf);
+	if (op < VFDI_OP_LIMIT && vfdi_ops[op] != NULL) {
+		rc = vfdi_ops[op](vf);
 		if (rc == 0) {
 			netif_dbg(efx, hw, efx->net_dev,
 				  "vfdi request %d from %s ok\n",
-				  req->op, vf->pci_name);
+				  op, vf->pci_name);
 		}
 	} else {
 		netif_dbg(efx, hw, efx->net_dev,
 			  "ERROR: Unrecognised request %d from VF %s addr "
-			  "%llx\n", req->op, vf->pci_name,
+			  "%llx\n", op, vf->pci_name,
 			  (unsigned long long)vf->req_addr);
 		rc = VFDI_RC_EOPNOTSUPP;
 	}
-- 
2.17.1

Re: [PATCH] net: sfc: fix possible buffer overflow caused by bad DMA value in efx_siena_sriov_vfdi()

[Edward Cree]

On 02/08/2020 16:39, Jia-Ju Bai wrote:
> To fix this problem, "req->op" is assigned to a local variable, and then
> the driver accesses this variable instead of "req->op".
>
> Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
Not sure how necessary this is (or even if anyone's still usingSiena
 SR-IOV, since it needed a specially-patched libvirt to work), but I
 don't see any reason to refuse.
> diff --git a/drivers/net/ethernet/sfc/siena_sriov.c b/drivers/net/ethernet/sfc/siena_sriov.c
> index 83dcfcae3d4b..21a8482cbb3b 100644
> --- a/drivers/net/ethernet/sfc/siena_sriov.c
> +++ b/drivers/net/ethernet/sfc/siena_sriov.c
> @@ -875,6 +875,7 @@ static void efx_siena_sriov_vfdi(struct work_struct *work)
>  	struct vfdi_req *req = vf->buf.addr;
>  	struct efx_memcpy_req copy[2];
>  	int rc;
> +	u32 op = req->op;
Could you maybe fix up the xmas here, rather than making it worse?

Also, you didn't specify in your Subject line which tree this is for.

-ed