* [bug report] Add support for the latest 1G/10G Chelsio adapter, T3.
@ 2020-07-20 12:53 dan.carpenter
0 siblings, 0 replies; 3+ messages in thread
From: dan.carpenter @ 2020-07-20 12:53 UTC (permalink / raw)
To: kernel-janitors
Hi Vishal,
This is ancient code, but apparently you worked on it recently and no
good deed goes unpunished. ;)
The patch 4d22de3e6cc4: "Add support for the latest 1G/10G Chelsio
adapter, T3." from Jan 18, 2007, leads to the following static
checker warning:
drivers/net/ethernet/chelsio/cxgb3/sge.c:2086 rx_eth()
error: buffer overflow 'adap->port' 2 <= 15 user_rl='0-15' uncapped
drivers/net/ethernet/chelsio/cxgb3/sge.c
2078 static void rx_eth(struct adapter *adap, struct sge_rspq *rq,
2079 struct sk_buff *skb, int pad, int lro)
2080 {
2081 struct cpl_rx_pkt *p = (struct cpl_rx_pkt *)(skb->data + pad);
^^^^^^^^^
Smatch distrusts skb->data.
2082 struct sge_qset *qs = rspq_to_qset(rq);
2083 struct port_info *pi;
2084
2085 skb_pull(skb, sizeof(*p) + pad);
2086 skb->protocol = eth_type_trans(skb, adap->port[p->iff]);
^^^^^^
So it says that this can crash. The ->port array only has two elements
and p->iff can go up to 16. This seems like a valid bug. I'm not
really sure how to address it..
2087 pi = netdev_priv(skb->dev);
2088 if ((skb->dev->features & NETIF_F_RXCSUM) && p->csum_valid &&
2089 p->csum = htons(0xffff) && !p->fragment) {
2090 qs->port_stats[SGE_PSTAT_RX_CSUM_GOOD]++;
2091 skb->ip_summed = CHECKSUM_UNNECESSARY;
2092 } else
2093 skb_checksum_none_assert(skb);
2094 skb_record_rx_queue(skb, qs - &adap->sge.qs[pi->first_qset]);
2095
2096 if (p->vlan_valid) {
2097 qs->port_stats[SGE_PSTAT_VLANEX]++;
2098 __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), ntohs(p->vlan));
2099 }
2100 if (rq->polling) {
2101 if (lro)
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
* [bug report] Add support for the latest 1G/10G Chelsio adapter, T3.
@ 2018-01-23 9:50 Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2018-01-23 9:50 UTC (permalink / raw)
To: kernel-janitors
Hello Divy Le Ray,
The patch 4d22de3e6cc4: "Add support for the latest 1G/10G Chelsio
adapter, T3." from Jan 18, 2007, leads to the following static
checker warning:
drivers/net/ethernet/chelsio/cxgb3/sge.c:2087 rx_eth()
error: buffer overflow 'adap->port' 2 <= 15
drivers/net/ethernet/chelsio/cxgb3/sge.c
2068 /**
2069 * rx_eth - process an ingress ethernet packet
2070 * @adap: the adapter
2071 * @rq: the response queue that received the packet
2072 * @skb: the packet
2073 * @pad: amount of padding at the start of the buffer
2074 *
2075 * Process an ingress ethernet pakcet and deliver it to the stack.
2076 * The padding is 2 if the packet was delivered in an Rx buffer and 0
2077 * if it was immediate data in a response.
2078 */
2079 static void rx_eth(struct adapter *adap, struct sge_rspq *rq,
2080 struct sk_buff *skb, int pad, int lro)
2081 {
2082 struct cpl_rx_pkt *p = (struct cpl_rx_pkt *)(skb->data + pad);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch marks the p as untrusted data because it seems to come from the
network
2083 struct sge_qset *qs = rspq_to_qset(rq);
2084 struct port_info *pi;
2085
2086 skb_pull(skb, sizeof(*p) + pad);
2087 skb->protocol = eth_type_trans(skb, adap->port[p->iff]);
^^^^^^
so how do we know that it's in the 0-3 range? Smatch thinks it could
go as high as 15.
2088 pi = netdev_priv(skb->dev);
2089 if ((skb->dev->features & NETIF_F_RXCSUM) && p->csum_valid &&
2090 p->csum = htons(0xffff) && !p->fragment) {
2091 qs->port_stats[SGE_PSTAT_RX_CSUM_GOOD]++;
2092 skb->ip_summed = CHECKSUM_UNNECESSARY;
2093 } else
2094 skb_checksum_none_assert(skb);
2095 skb_record_rx_queue(skb, qs - &adap->sge.qs[pi->first_qset]);
2096
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
* [bug report] Add support for the latest 1G/10G Chelsio adapter, T3.
@ 2017-11-29 11:49 Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2017-11-29 11:49 UTC (permalink / raw)
To: kernel-janitors
Hello Divy Le Ray,
The patch 4d22de3e6cc4: "Add support for the latest 1G/10G Chelsio
adapter, T3." from Jan 18, 2007, leads to the following static
checker warning:
drivers/net/ethernet/chelsio/cxgb3/sge.c:2087 rx_eth()
error: buffer overflow 'adap->port' 2 <= 15
drivers/net/ethernet/chelsio/cxgb3/sge.c
2079 static void rx_eth(struct adapter *adap, struct sge_rspq *rq,
2080 struct sk_buff *skb, int pad, int lro)
2081 {
2082 struct cpl_rx_pkt *p = (struct cpl_rx_pkt *)(skb->data + pad);
^^^^^^^^^^^^^^^
Smatch marks all data stored in skb->data as untrusted.
2083 struct sge_qset *qs = rspq_to_qset(rq);
2084 struct port_info *pi;
2085
2086 skb_pull(skb, sizeof(*p) + pad);
2087 skb->protocol = eth_type_trans(skb, adap->port[p->iff]);
^^^^^^^
But we're using it in as an array offset without doing a bounds check.
Does skb->data come from the firmware? Perhaps this code is fine as-is.
2088 pi = netdev_priv(skb->dev);
2089 if ((skb->dev->features & NETIF_F_RXCSUM) && p->csum_valid &&
2090 p->csum = htons(0xffff) && !p->fragment) {
2091 qs->port_stats[SGE_PSTAT_RX_CSUM_GOOD]++;
2092 skb->ip_summed = CHECKSUM_UNNECESSARY;
2093 } else
2094 skb_checksum_none_assert(skb);
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-20 12:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-20 12:53 [bug report] Add support for the latest 1G/10G Chelsio adapter, T3 dan.carpenter
-- strict thread matches above, loose matches on Subject: below --
2018-01-23 9:50 Dan Carpenter
2017-11-29 11:49 Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).