From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5855C64E7B for ; Mon, 30 Nov 2020 14:14:45 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DD83F2085B for ; Mon, 30 Nov 2020 14:14:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="g31NOKrM" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DD83F2085B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:53156 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kjjwx-0007f4-Es for qemu-devel@archiver.kernel.org; Mon, 30 Nov 2020 09:14:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46036) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kjjvD-0006Vn-8q for qemu-devel@nongnu.org; Mon, 30 Nov 2020 09:12:56 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:55583) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kjjv6-0002da-EW for qemu-devel@nongnu.org; Mon, 30 Nov 2020 09:12:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606745566; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8bcn50rdr2fbeoIFvDhxCNkCWVdSXxSt3IumVA06wsI=; b=g31NOKrM2gXLQktUs7p8igfYlL/d3BKyPcRWA2K00IPBMPHtSKVredQLunyGJUgtSHUjAu 3om8TM/S0oz7oAr29iCcA5+LYkZ6+WjwVsDcjlcl/64OHoaJymSmV+pC7pYvU1ZQ/S5oao wo+CC8Ya1rbthzYjfVf+Mu6/3AJc0tg= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-4-g9DuS21ZPZSvu5jhZCmb8Q-1; Mon, 30 Nov 2020 09:12:40 -0500 X-MC-Unique: g9DuS21ZPZSvu5jhZCmb8Q-1 Received: by mail-ed1-f70.google.com with SMTP id h5so1563361edq.3 for ; Mon, 30 Nov 2020 06:12:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=8bcn50rdr2fbeoIFvDhxCNkCWVdSXxSt3IumVA06wsI=; b=Iq+k/PO94HFXx7uJYDqiWQ43DYa2LAm80P/SOeVX9HHR8v/LVGFulEweVTeMhnpM+k 0sHmKCk2xRlcJGcnucMIKU9jPJVw3ggdhQnGOeEaHgeTuWFRWNq7M1GkRs6ofQOmAc+P BUywHKq9i1T0zHoTwPlwMcHgPaj1w9ONE2ZROxB6Dd3fU4AGx5IifLJx6BHA86wIiLuw drQj6/l2UXOuD5jfX1xPTD0EVOIEyi3L4ayqluldttAm95WT2C6fFyBZommAoNpFMJjn txDODCK3KdGaLBLnwBvwrNeFdd+lIx0LQ8kisHJ1QwK3lPx6J+wQE5bnqed4VoNKwx9B jdag== X-Gm-Message-State: AOAM533Vqo1+4mFrgUh+YgWa1CV5ZKiZSOxxFS3c5o0HBa/HOr/GYWqC Z+nlzJVypH1WcLDS35aS13NAWsD5s9WyIn4b6rFT9d5wZp86n4o+GmcLTTqzPAsQKHGgCGA0mjQ eyVj1UZqRi97n2mBL2cAhCz/HxxXxoJs= X-Received: by 2002:a17:906:2818:: with SMTP id r24mr20536249ejc.100.1606745558787; Mon, 30 Nov 2020 06:12:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJwlK+oPEs8wKcWjMrjDMV7k8wuW/y8IbvRyx0YZz3D6KTeMpeofUCcl31fhYEOlUF9zfzONyY98mfosYXNFmgw= X-Received: by 2002:a17:906:2818:: with SMTP id r24mr20536225ejc.100.1606745558420; Mon, 30 Nov 2020 06:12:38 -0800 (PST) MIME-Version: 1.0 References: <20201113103113.223239-1-mcascell@redhat.com> <204556ad-c6ab-2caa-aee8-3e3f7e0f60c2@redhat.com> In-Reply-To: From: Mauro Matteo Cascella Date: Mon, 30 Nov 2020 15:12:27 +0100 Message-ID: Subject: Re: [PATCH v2] net/e1000e_core: adjust count if RDH exceeds RDT in e1000e_ring_advance() To: Jason Wang Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mcascell@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=63.128.21.124; envelope-from=mcascell@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -35 X-Spam_score: -3.6 X-Spam_bar: --- X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.496, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: gaoning.pgn@antgroup.com, 330cjfdn@gmail.com, Dmitry Fleytman , Laszlo Ersek , QEMU Developers Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On Mon, Nov 30, 2020 at 3:58 AM Jason Wang wrote: > > > On 2020/11/27 =E4=B8=8B=E5=8D=8810:49, Mauro Matteo Cascella wrote: > > On Fri, Nov 27, 2020 at 6:21 AM Jason Wang wrote: > >> > >> On 2020/11/24 =E4=B8=8A=E5=8D=885:30, Mauro Matteo Cascella wrote: > >>> On Thu, Nov 19, 2020 at 6:57 AM Jason Wang wrot= e: > >>>> On 2020/11/18 =E4=B8=8B=E5=8D=884:53, Mauro Matteo Cascella wrote: > >>>>> On Wed, Nov 18, 2020 at 4:56 AM Jason Wang wr= ote: > >>>>>> On 2020/11/13 =E4=B8=8B=E5=8D=886:31, Mauro Matteo Cascella wrote: > >>>>>>> The e1000e_write_packet_to_guest() function iterates over a set o= f > >>>>>>> receive descriptors by advancing rx descriptor head register (RDH= ) from > >>>>>>> its initial value to rx descriptor tail register (RDT). The check= in > >>>>>>> e1000e_ring_empty() is responsible for detecting whether RDH has = reached > >>>>>>> RDT, terminating the loop if that's the case. Additional checks h= ave > >>>>>>> been added in the past to deal with bogus values submitted by the= guest > >>>>>>> to prevent possible infinite loop. This is done by "wrapping arou= nd" RDH > >>>>>>> at some point and detecting whether it assumes the original value= during > >>>>>>> the loop. > >>>>>>> > >>>>>>> However, when e1000e is configured to use the packet split featur= e, RDH is > >>>>>>> incremented by two instead of one, as the packet split descriptor= s are > >>>>>>> 32 bytes while regular descriptors are 16 bytes. A malicious or b= uggy > >>>>>>> guest may set RDT to an odd value and transmit only null RX descr= iptors. > >>>>>>> This corner case would prevent RDH from ever matching RDT, leadin= g to an > >>>>>>> infinite loop. This patch adds a check in e1000e_ring_advance() t= o make sure > >>>>>>> RDH does not exceed RDT in a single incremental step, adjusting t= he count > >>>>>>> value accordingly. > >>>>>> Can this patch solve this issue in another way? > >>>>>> > >>>>>> https://patchew.org/QEMU/20201111130636.2208620-1-ppandit@redhat.c= om/ > >>>>>> > >>>>>> Thanks > >>>>>> > >>>>> Yes, it does work nicely. Still, I think this patch is useful to av= oid > >>>>> possible inconsistent state in e1000e_ring_advance() when count > 1= . > >>>> So if RDT is odd, it looks to me the following codes in > >>>> e1000e_write_packet_to_guest() needs to be fixed as well. > >>>> > >>>> > >>>> base =3D e1000e_ring_head_descr(core, rxi); > >>>> > >>>> pci_dma_read(d, base, &desc, core->rx_desc_len); > >>>> > >>>> Otherwise e1000e may try to read out of descriptor ring. > >>> Sorry, I'm not sure I understand what you mean. Isn't the base addres= s > >>> computed from RDH? How can e1000e read out of the descriptor ring if > >>> RDT is odd? > >>> > >>>> Thanks > >>> On Thu, Nov 19, 2020 at 6:57 AM Jason Wang wrot= e: > >>>> On 2020/11/18 =E4=B8=8B=E5=8D=884:53, Mauro Matteo Cascella wrote: > >>>>> On Wed, Nov 18, 2020 at 4:56 AM Jason Wang wr= ote: > >>>>>> On 2020/11/13 =E4=B8=8B=E5=8D=886:31, Mauro Matteo Cascella wrote: > >>>>>>> The e1000e_write_packet_to_guest() function iterates over a set o= f > >>>>>>> receive descriptors by advancing rx descriptor head register (RDH= ) from > >>>>>>> its initial value to rx descriptor tail register (RDT). The check= in > >>>>>>> e1000e_ring_empty() is responsible for detecting whether RDH has = reached > >>>>>>> RDT, terminating the loop if that's the case. Additional checks h= ave > >>>>>>> been added in the past to deal with bogus values submitted by the= guest > >>>>>>> to prevent possible infinite loop. This is done by "wrapping arou= nd" RDH > >>>>>>> at some point and detecting whether it assumes the original value= during > >>>>>>> the loop. > >>>>>>> > >>>>>>> However, when e1000e is configured to use the packet split featur= e, RDH is > >>>>>>> incremented by two instead of one, as the packet split descriptor= s are > >>>>>>> 32 bytes while regular descriptors are 16 bytes. A malicious or b= uggy > >>>>>>> guest may set RDT to an odd value and transmit only null RX descr= iptors. > >>>>>>> This corner case would prevent RDH from ever matching RDT, leadin= g to an > >>>>>>> infinite loop. This patch adds a check in e1000e_ring_advance() t= o make sure > >>>>>>> RDH does not exceed RDT in a single incremental step, adjusting t= he count > >>>>>>> value accordingly. > >>>>>> Can this patch solve this issue in another way? > >>>>>> > >>>>>> https://patchew.org/QEMU/20201111130636.2208620-1-ppandit@redhat.c= om/ > >>>>>> > >>>>>> Thanks > >>>>>> > >>>>> Yes, it does work nicely. Still, I think this patch is useful to av= oid > >>>>> possible inconsistent state in e1000e_ring_advance() when count > 1= . > >>>> So if RDT is odd, it looks to me the following codes in > >>>> e1000e_write_packet_to_guest() needs to be fixed as well. > >>>> > >>>> > >>>> base =3D e1000e_ring_head_descr(core, rxi); > >>>> > >>>> pci_dma_read(d, base, &desc, core->rx_desc_len); > >>>> > >>>> Otherwise e1000e may try to read out of descriptor ring. > >>>> > >>>> Thanks > >> > >> Sorry, I meant RDH actually, when packet split descriptor is used, it > >> doesn't check whether DH exceeds DLEN? > >> > > When the packet split feature is used (i.e., count > 1) this patch > > basically sets RDH=3DRDT in case the increment would exceed RDT. > > > Can software set RDH to an odd value? If not, I think we are probably fin= e. > > Thanks > Honestly I don't know the answer to your question, my guess is that it may be possible for a malicious/bogus guest to set RDH the same way as RDT. Thank you, -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0