| Message ID | 20230315130917.3633491-1-a.fatoum@pengutronix.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2324743wrd;
Wed, 15 Mar 2023 06:19:48 -0700 (PDT)
X-Google-Smtp-Source:
AK7set9bLBIpeVWtYCuLFfWzRf9cOYukE06VVO7/OlY6v87vUv2gReLfksW0uJvTHZUO8ncrvY3c
X-Received: by 2002:a17:90a:550c:b0:23b:3d6e:1ed with SMTP id
b12-20020a17090a550c00b0023b3d6e01edmr14447398pji.13.1678886387800;
Wed, 15 Mar 2023 06:19:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1678886387; cv=none;
d=google.com; s=arc-20160816;
b=OQV5LO8aYZJ/alwDxwWklx4t2HONlTDtiASE14SQTApHXApQmutegcU0tYJXbo2c7r
hV7efbf6vCzPyzO7cs5Tu40uGNGLJrUe/VWmiJClJFPOZ4iVGksiHozbZz/RcjmmBFXe
hb5g/eyJPJ1bVvFqrY+RTNZZt4kQFwjvwsRrVXHfP+Dwx6iFL6nt0WqBfx6b0eSpBEFh
ODixXDrmJhnS/EKu18cBECvuWnrU5z6lJhuJykIEAE8jFroEtzoiPwLlxpn4ohX37CG6
BDGb0uLpQFSuCRHdpZW92WufNKebzVCt+/sj7V/MrDpfed4rune/bZq1f9Q2biMUy55s
164g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=90tOwDFnhOKGGNYT+EV6/o+vlxIDG6Sd8CpqML1ep8w=;
b=gu3AGtLLHWHkq4lS6OguymF65yWYTyQmHpnZ4wxGSAnd9nnkU4r0niDbktbWWdJPf3
nQgEC/rvJFJYJNvE1QZUY0/MsB7GRQEhiBUg3x3X7ndXIny0wqOVNWF93rzJJFtfO1E1
5CMDMIRLFDV8HbDI+SUmLqdx5cDNnIqd7idK1hduTgEFNfY+wEiU//1L/D8xTA73USUt
jE4GmDkLveFkpYp9yrjgdSL9YAVf8gjUD2Vk/7L4KmXvvBZtqB53iDnn6hbRhqhBZFGz
O3ofhuCMTe88xEsQ9ZzfSr9L0eRJObVVRKgwaQ5BEQIY0mnvpgjz1lFs9lIA6MLKtXoz
7L/A==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
i69-20020a638748000000b0050be3e2e59fsi918233pge.36.2023.03.15.06.19.35;
Wed, 15 Mar 2023 06:19:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232071AbjCONJ4 (ORCPT <rfc822;ruipengqi7@gmail.com> + 99 others);
Wed, 15 Mar 2023 09:09:56 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54730 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229616AbjCONJw (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 15 Mar 2023 09:09:52 -0400
Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de
[IPv6:2001:67c:670:201:290:27ff:fe1d:cc33])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A391220575
for <linux-kernel@vger.kernel.org>;
Wed, 15 Mar 2023 06:09:49 -0700 (PDT)
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
by metis.ext.pengutronix.de with esmtps
(TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92)
(envelope-from <afa@pengutronix.de>)
id 1pcQso-0004kr-V5; Wed, 15 Mar 2023 14:09:34 +0100
Received: from [2a0a:edc0:0:1101:1d::54] (helo=dude05.red.stw.pengutronix.de)
by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2)
(envelope-from <afa@pengutronix.de>)
id 1pcQsm-004JKR-O2; Wed, 15 Mar 2023 14:09:32 +0100
Received: from afa by dude05.red.stw.pengutronix.de with local (Exim 4.94.2)
(envelope-from <afa@pengutronix.de>)
id 1pcQsm-00FFGc-4Q; Wed, 15 Mar 2023 14:09:32 +0100
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Linus Walleij <linus.walleij@linaro.org>,
=?utf-8?q?Alvin_=C5=A0ipraga?= <alsi@bang-olufsen.dk>,
Andrew Lunn <andrew@lunn.ch>, Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Luiz Angelo Daros de Luca <luizluca@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Cc: kernel@pengutronix.de, Ahmad Fatoum <a.fatoum@pengutronix.de>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH net 1/2] net: dsa: realtek: fix out-of-bounds access
Date: Wed, 15 Mar 2023 14:09:15 +0100
Message-Id: <20230315130917.3633491-1-a.fatoum@pengutronix.de>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2
X-SA-Exim-Mail-From: afa@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de);
SAEximRunCond expanded to false
X-PTX-Original-Recipient: linux-kernel@vger.kernel.org
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760439973251236073?=
X-GMAIL-MSGID: =?utf-8?q?1760439973251236073?=
|
| Series |
[net,1/2] net: dsa: realtek: fix out-of-bounds access
|
|
Commit Message
Ahmad Fatoum
March 15, 2023, 1:09 p.m. UTC
The probe function sets priv->chip_data to (void *)priv + sizeof(*priv)
with the expectation that priv has enough trailing space.
However, only realtek-smi actually allocated this chip_data space.
Do likewise in realtek-mdio to fix out-of-bounds accesses.
Fixes: aac94001067d ("net: dsa: realtek: add new mdio interface for drivers")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
drivers/net/dsa/realtek/realtek-mdio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Wed, Mar 15, 2023 at 2:09 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) > with the expectation that priv has enough trailing space. > > However, only realtek-smi actually allocated this chip_data space. > Do likewise in realtek-mdio to fix out-of-bounds accesses. > > Fixes: aac94001067d ("net: dsa: realtek: add new mdio interface for drivers") > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Reviewed-by: Linus Walleij <linus.walleij@linaro.org> That this worked for so long is kind of scary, and the reason why we run Kasan over so much code, I don't know if Kasan would have found this one. Rewriting the whole world in Rust will fix this problem, but it will take a while... Yours, Linus Walleij
On Wed, Mar 15, 2023 at 2:09 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > Some error messages lack a new line, add them. > > Fixes: d40f607c181f ("net: dsa: realtek: rtl8365mb: add RTL8367S support") > Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Reviewed-by: Linus Walleij <linus.walleij@linaro.org> Yours, Linus Walleij
On Wed, Mar 15, 2023 at 02:09:15PM +0100, Ahmad Fatoum wrote: > The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) > with the expectation that priv has enough trailing space. > > However, only realtek-smi actually allocated this chip_data space. > Do likewise in realtek-mdio to fix out-of-bounds accesses. > > Fixes: aac94001067d ("net: dsa: realtek: add new mdio interface for drivers") > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> > --- Reviewed-by: Alvin Šipraga <alsi@bang-olufsen.dk> Makes me wonder how the switches worked over MDIO all this time... I guess it was dumb luck. > drivers/net/dsa/realtek/realtek-mdio.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/dsa/realtek/realtek-mdio.c b/drivers/net/dsa/realtek/realtek-mdio.c > index 3e54fac5f902..3b22d3f7ad99 100644 > --- a/drivers/net/dsa/realtek/realtek-mdio.c > +++ b/drivers/net/dsa/realtek/realtek-mdio.c > @@ -152,7 +152,7 @@ static int realtek_mdio_probe(struct mdio_device *mdiodev) > if (!var) > return -EINVAL; > > - priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv), GFP_KERNEL); > + priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv) + var->chip_data_sz, GFP_KERNEL); > if (!priv) > return -ENOMEM; > > -- > 2.30.2 >
On Wed, Mar 15, 2023 at 02:09:15PM +0100, Ahmad Fatoum wrote: > The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) > with the expectation that priv has enough trailing space. > > However, only realtek-smi actually allocated this chip_data space. > Do likewise in realtek-mdio to fix out-of-bounds accesses. Hi Ahmad It is normal to include a patch 0/X which gives the big picture, what does this patch set do as a whole. Please try to remember this for the next set you post. Andrew
Hello Andrew, On 15.03.23 14:30, Andrew Lunn wrote: > On Wed, Mar 15, 2023 at 02:09:15PM +0100, Ahmad Fatoum wrote: >> The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) >> with the expectation that priv has enough trailing space. >> >> However, only realtek-smi actually allocated this chip_data space. >> Do likewise in realtek-mdio to fix out-of-bounds accesses. > > Hi Ahmad > > It is normal to include a patch 0/X which gives the big picture, what > does this patch set do as a whole. > > Please try to remember this for the next set you post. Ok, will do next time. I didn't include one this time, because there's no big picture here; Just two fixes for the same driver. Cheers, Ahmad > > Andrew >
On Wed, Mar 15, 2023 at 02:35:34PM +0100, Ahmad Fatoum wrote: > Hello Andrew, > > On 15.03.23 14:30, Andrew Lunn wrote: > > On Wed, Mar 15, 2023 at 02:09:15PM +0100, Ahmad Fatoum wrote: > >> The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) > >> with the expectation that priv has enough trailing space. > >> > >> However, only realtek-smi actually allocated this chip_data space. > >> Do likewise in realtek-mdio to fix out-of-bounds accesses. > > > > Hi Ahmad > > > > It is normal to include a patch 0/X which gives the big picture, what > > does this patch set do as a whole. > > > > Please try to remember this for the next set you post. > > Ok, will do next time. I didn't include one this time, because there's > no big picture here; Just two fixes for the same driver. Fine. You could just say that. Patch 0/X is then used as the merge commit messages. Andrew
Hi Linus, On 15.03.23 14:15, Linus Walleij wrote: > On Wed, Mar 15, 2023 at 2:09 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote: > >> The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) >> with the expectation that priv has enough trailing space. >> >> However, only realtek-smi actually allocated this chip_data space. >> Do likewise in realtek-mdio to fix out-of-bounds accesses. >> >> Fixes: aac94001067d ("net: dsa: realtek: add new mdio interface for drivers") >> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> > > Reviewed-by: Linus Walleij <linus.walleij@linaro.org> Thanks for the review. > That this worked for so long is kind of scary, and the reason why we run Kasan > over so much code, I don't know if Kasan would have found this one. It still worked. I looked into it some more and for some reason, struct realtek_priv has a char buf[4096] member that's unused. I assume it caused kmalloc to return a 8K slab, where the out-of-bound writes didn't overwrite anything of value. That buffer ought to be removed, but that's for net-next. I just checked with KASAN and it does detect the OOB on ARM64. I first noticed the bug on barebox though, which has a near verbatim port of the Linux driver, but a TLSF allocator, which fits allocations more tightly, hence it crashes not long after driver probe unlike Linux. > Rewriting the whole world in Rust will fix this problem, but it will > take a while... ^^'. Cheers, Ahmad > > Yours, > Linus Walleij >
On 3/15/23 06:09, Ahmad Fatoum wrote: > The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) > with the expectation that priv has enough trailing space. > > However, only realtek-smi actually allocated this chip_data space. > Do likewise in realtek-mdio to fix out-of-bounds accesses. > > Fixes: aac94001067d ("net: dsa: realtek: add new mdio interface for drivers") > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
> The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) > with the expectation that priv has enough trailing space. > > However, only realtek-smi actually allocated this chip_data space. > Do likewise in realtek-mdio to fix out-of-bounds accesses. > > Fixes: aac94001067d ("net: dsa: realtek: add new mdio interface for drivers") > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> My bad. Thanks for the fix, Ahmad. Reviewed-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
On Wed, 15 Mar 2023 14:09:15 +0100 Ahmad Fatoum wrote: > - priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv), GFP_KERNEL); > + priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv) + var->chip_data_sz, GFP_KERNEL); size_add() ? Otherwise some static checker is going to soon send us a patch saying this can overflow. Let's save ourselves the hassle.
On 17.03.23 05:07, Jakub Kicinski wrote: > On Wed, 15 Mar 2023 14:09:15 +0100 Ahmad Fatoum wrote: >> - priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv), GFP_KERNEL); >> + priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv) + var->chip_data_sz, GFP_KERNEL); > > size_add() ? > Otherwise some static checker is going to soon send us a patch saying > this can overflow. Let's save ourselves the hassle. The exact same line is already in realtek-smi. Would you prefer I send a follow-up patch for net-next which switches over both files to size_add or should I send a v2? Cheers, Ahmad >
On Wed, 22 Mar 2023 16:51:00 +0100 Ahmad Fatoum wrote: > On 17.03.23 05:07, Jakub Kicinski wrote: > > On Wed, 15 Mar 2023 14:09:15 +0100 Ahmad Fatoum wrote: > >> - priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv), GFP_KERNEL); > >> + priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv) + var->chip_data_sz, GFP_KERNEL); > > > > size_add() ? > > Otherwise some static checker is going to soon send us a patch saying > > this can overflow. Let's save ourselves the hassle. > > The exact same line is already in realtek-smi. Would you prefer I send > a follow-up patch for net-next which switches over both files to size_add > or should I send a v2? We can leave the existing code be, but use the helper in the new code for v2
diff --git a/drivers/net/dsa/realtek/realtek-mdio.c b/drivers/net/dsa/realtek/realtek-mdio.c index 3e54fac5f902..3b22d3f7ad99 100644 --- a/drivers/net/dsa/realtek/realtek-mdio.c +++ b/drivers/net/dsa/realtek/realtek-mdio.c @@ -152,7 +152,7 @@ static int realtek_mdio_probe(struct mdio_device *mdiodev) if (!var) return -EINVAL; - priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv), GFP_KERNEL); + priv = devm_kzalloc(&mdiodev->dev, sizeof(*priv) + var->chip_data_sz, GFP_KERNEL); if (!priv) return -ENOMEM;