* [PATCH] IB/mlx4: Avoid field-overflowing memcpy()
@ 2021-06-16 20:37 Kees Cook
2021-06-17 7:24 ` Leon Romanovsky
2021-06-22 0:05 ` Jason Gunthorpe
0 siblings, 2 replies; 5+ messages in thread
From: Kees Cook @ 2021-06-16 20:37 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: Kees Cook, Yishai Hadas, Doug Ledford, linux-kernel, linux-rdma,
linux-hardening
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring array fields.
Use the ether_addr_copy() helper instead, as already done for smac.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/infiniband/hw/mlx4/qp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 2ae22bf50016..4a2ef7daaded 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -3144,7 +3144,7 @@ static int build_mlx_header(struct mlx4_ib_qp *qp, const struct ib_ud_wr *wr,
mlx->sched_prio = cpu_to_be16(pcp);
ether_addr_copy(sqp->ud_header.eth.smac_h, ah->av.eth.s_mac);
- memcpy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac, 6);
+ ether_addr_copy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac);
memcpy(&ctrl->srcrb_flags16[0], ah->av.eth.mac, 2);
memcpy(&ctrl->imm, ah->av.eth.mac + 2, 4);
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] IB/mlx4: Avoid field-overflowing memcpy()
2021-06-16 20:37 [PATCH] IB/mlx4: Avoid field-overflowing memcpy() Kees Cook
@ 2021-06-17 7:24 ` Leon Romanovsky
2021-06-17 19:46 ` Kees Cook
2021-06-22 0:05 ` Jason Gunthorpe
1 sibling, 1 reply; 5+ messages in thread
From: Leon Romanovsky @ 2021-06-17 7:24 UTC (permalink / raw)
To: Kees Cook, Jack Morgenstein
Cc: Jason Gunthorpe, Yishai Hadas, Doug Ledford, linux-kernel,
linux-rdma, linux-hardening
On Wed, Jun 16, 2021 at 01:37:44PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring array fields.
>
> Use the ether_addr_copy() helper instead, as already done for smac.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> drivers/infiniband/hw/mlx4/qp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
> index 2ae22bf50016..4a2ef7daaded 100644
> --- a/drivers/infiniband/hw/mlx4/qp.c
> +++ b/drivers/infiniband/hw/mlx4/qp.c
> @@ -3144,7 +3144,7 @@ static int build_mlx_header(struct mlx4_ib_qp *qp, const struct ib_ud_wr *wr,
> mlx->sched_prio = cpu_to_be16(pcp);
>
> ether_addr_copy(sqp->ud_header.eth.smac_h, ah->av.eth.s_mac);
> - memcpy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac, 6);
> + ether_addr_copy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac);
> memcpy(&ctrl->srcrb_flags16[0], ah->av.eth.mac, 2);
> memcpy(&ctrl->imm, ah->av.eth.mac + 2, 4);
I don't understand the last three lines. We are copying 6 bytes to
ah->av.eth.mac and immediately after that overwriting them.
Jack,
Do you remember what you wanted to achieve in commit
6ee51a4e866b ("mlx4: Adjust QP1 multiplexing for RoCE/SRIOV")
Thanks
>
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] IB/mlx4: Avoid field-overflowing memcpy()
2021-06-17 7:24 ` Leon Romanovsky
@ 2021-06-17 19:46 ` Kees Cook
2021-06-21 8:11 ` Leon Romanovsky
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2021-06-17 19:46 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Jack Morgenstein, Jason Gunthorpe, Yishai Hadas, Doug Ledford,
linux-kernel, linux-rdma, linux-hardening
On Thu, Jun 17, 2021 at 10:24:58AM +0300, Leon Romanovsky wrote:
> On Wed, Jun 16, 2021 at 01:37:44PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
> > intentionally writing across neighboring array fields.
> >
> > Use the ether_addr_copy() helper instead, as already done for smac.
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > drivers/infiniband/hw/mlx4/qp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
> > index 2ae22bf50016..4a2ef7daaded 100644
> > --- a/drivers/infiniband/hw/mlx4/qp.c
> > +++ b/drivers/infiniband/hw/mlx4/qp.c
> > @@ -3144,7 +3144,7 @@ static int build_mlx_header(struct mlx4_ib_qp *qp, const struct ib_ud_wr *wr,
> > mlx->sched_prio = cpu_to_be16(pcp);
> >
> > ether_addr_copy(sqp->ud_header.eth.smac_h, ah->av.eth.s_mac);
> > - memcpy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac, 6);
> > + ether_addr_copy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac);
> > memcpy(&ctrl->srcrb_flags16[0], ah->av.eth.mac, 2);
> > memcpy(&ctrl->imm, ah->av.eth.mac + 2, 4);
>
> I don't understand the last three lines. We are copying 6 bytes to
> ah->av.eth.mac and immediately after that overwriting them.
I'm not following (the memcpy() is replaced by ether_addr_copy()). I only
see ah->av.eth.mac being read from (not written to). And the destinations
are {s,d}mac_h:
ah->av.eth.s_mac -> sqp->ud_header.eth.smac_h (s_mac to smac_h: 6 bytes)
ah->av.eth.mac -> sqp->ud_header.eth.dmac_h (mac to dmac_h: 6 bytes)
after that I see:
ah->av.eth.mac -> &ctrl->srcrb_flags16[0] (2 bytes)
ah->av.eth.mac + 2 -> ctrl->imm (4 bytes)
The last two copies mac again in pieces, but I don't know what any of
this is actually used for, which I what I assume you're asking about. :)
> Jack,
>
> Do you remember what you wanted to achieve in commit
> 6ee51a4e866b ("mlx4: Adjust QP1 multiplexing for RoCE/SRIOV")
>
> Thanks
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] IB/mlx4: Avoid field-overflowing memcpy()
2021-06-17 19:46 ` Kees Cook
@ 2021-06-21 8:11 ` Leon Romanovsky
0 siblings, 0 replies; 5+ messages in thread
From: Leon Romanovsky @ 2021-06-21 8:11 UTC (permalink / raw)
To: Kees Cook
Cc: Jack Morgenstein, Jason Gunthorpe, Yishai Hadas, Doug Ledford,
linux-kernel, linux-rdma, linux-hardening
On Thu, Jun 17, 2021 at 12:46:43PM -0700, Kees Cook wrote:
> On Thu, Jun 17, 2021 at 10:24:58AM +0300, Leon Romanovsky wrote:
> > On Wed, Jun 16, 2021 at 01:37:44PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > field bounds checking for memcpy(), memmove(), and memset(), avoid
> > > intentionally writing across neighboring array fields.
> > >
> > > Use the ether_addr_copy() helper instead, as already done for smac.
> > >
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > drivers/infiniband/hw/mlx4/qp.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
> > > index 2ae22bf50016..4a2ef7daaded 100644
> > > --- a/drivers/infiniband/hw/mlx4/qp.c
> > > +++ b/drivers/infiniband/hw/mlx4/qp.c
> > > @@ -3144,7 +3144,7 @@ static int build_mlx_header(struct mlx4_ib_qp *qp, const struct ib_ud_wr *wr,
> > > mlx->sched_prio = cpu_to_be16(pcp);
> > >
> > > ether_addr_copy(sqp->ud_header.eth.smac_h, ah->av.eth.s_mac);
> > > - memcpy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac, 6);
> > > + ether_addr_copy(sqp->ud_header.eth.dmac_h, ah->av.eth.mac);
> > > memcpy(&ctrl->srcrb_flags16[0], ah->av.eth.mac, 2);
> > > memcpy(&ctrl->imm, ah->av.eth.mac + 2, 4);
> >
> > I don't understand the last three lines. We are copying 6 bytes to
> > ah->av.eth.mac and immediately after that overwriting them.
>
> I'm not following (the memcpy() is replaced by ether_addr_copy()).
Forget it, it was me who mixed src with dst in the memcpy() signature.
Thanks,
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] IB/mlx4: Avoid field-overflowing memcpy()
2021-06-16 20:37 [PATCH] IB/mlx4: Avoid field-overflowing memcpy() Kees Cook
2021-06-17 7:24 ` Leon Romanovsky
@ 2021-06-22 0:05 ` Jason Gunthorpe
1 sibling, 0 replies; 5+ messages in thread
From: Jason Gunthorpe @ 2021-06-22 0:05 UTC (permalink / raw)
To: Kees Cook
Cc: Yishai Hadas, Doug Ledford, linux-kernel, linux-rdma, linux-hardening
On Wed, Jun 16, 2021 at 01:37:44PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring array fields.
>
> Use the ether_addr_copy() helper instead, as already done for smac.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
> ---
> drivers/infiniband/hw/mlx4/qp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-next, thanks
Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-22 0:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-16 20:37 [PATCH] IB/mlx4: Avoid field-overflowing memcpy() Kees Cook
2021-06-17 7:24 ` Leon Romanovsky
2021-06-17 19:46 ` Kees Cook
2021-06-21 8:11 ` Leon Romanovsky
2021-06-22 0:05 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).