| From foo@baz Thu Sep 14 23:20:08 PDT 2017 |
| From: Stefano Brivio <sbrivio@redhat.com> |
| Date: Fri, 25 Aug 2017 22:48:48 +0200 |
| Subject: cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() |
| |
| From: Stefano Brivio <sbrivio@redhat.com> |
| |
| |
| [ Upstream commit 0f3086868e8889a823a6e0f3d299102aa895d947 ] |
| |
| Passing commands for logging to t4_record_mbox() with size |
| MBOX_LEN, when the actual command size is actually smaller, |
| causes out-of-bounds stack accesses in t4_record_mbox() while |
| copying command words here: |
| |
| for (i = 0; i < size / 8; i++) |
| entry->cmd[i] = be64_to_cpu(cmd[i]); |
| |
| Up to 48 bytes from the stack are then leaked to debugfs. |
| |
| This happens whenever we send (and log) commands described by |
| structs fw_sched_cmd (32 bytes leaked), fw_vi_rxmode_cmd (48), |
| fw_hello_cmd (48), fw_bye_cmd (48), fw_initialize_cmd (48), |
| fw_reset_cmd (48), fw_pfvf_cmd (32), fw_eq_eth_cmd (16), |
| fw_eq_ctrl_cmd (32), fw_eq_ofld_cmd (32), fw_acl_mac_cmd(16), |
| fw_rss_glb_config_cmd(32), fw_rss_vi_config_cmd(32), |
| fw_devlog_cmd(32), fw_vi_enable_cmd(48), fw_port_cmd(32), |
| fw_sched_cmd(32), fw_devlog_cmd(32). |
| |
| The cxgb4vf driver got this right instead. |
| |
| When we call t4_record_mbox() to log a command reply, a MBOX_LEN |
| size can be used though, as get_mbox_rpl() will fill cmd_rpl up |
| completely. |
| |
| Fixes: 7f080c3f2ff0 ("cxgb4: Add support to enable logging of firmware mailbox commands") |
| Signed-off-by: Stefano Brivio <sbrivio@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| --- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c |
| +++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c |
| @@ -317,12 +317,12 @@ int t4_wr_mbox_meat_timeout(struct adapt |
| |
| if (v != MBOX_OWNER_DRV) { |
| ret = (v == MBOX_OWNER_FW) ? -EBUSY : -ETIMEDOUT; |
| - t4_record_mbox(adap, cmd, MBOX_LEN, access, ret); |
| + t4_record_mbox(adap, cmd, size, access, ret); |
| return ret; |
| } |
| |
| /* Copy in the new mailbox command and send it on its way ... */ |
| - t4_record_mbox(adap, cmd, MBOX_LEN, access, 0); |
| + t4_record_mbox(adap, cmd, size, access, 0); |
| for (i = 0; i < size; i += 8) |
| t4_write_reg64(adap, data_reg + i, be64_to_cpu(*p++)); |
| |
| @@ -371,7 +371,7 @@ int t4_wr_mbox_meat_timeout(struct adapt |
| } |
| |
| ret = (pcie_fw & PCIE_FW_ERR_F) ? -ENXIO : -ETIMEDOUT; |
| - t4_record_mbox(adap, cmd, MBOX_LEN, access, ret); |
| + t4_record_mbox(adap, cmd, size, access, ret); |
| dev_err(adap->pdev_dev, "command %#x in mailbox %d timed out\n", |
| *(const u8 *)cmd, mbox); |
| t4_report_fw_error(adap); |