mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-03 15:47:36 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/net/ethernet
History
Zekun Shen b922f62259 atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait 
This bug report shows up when running our research tools. The
reports is SOOB read, but it seems SOOB write is also possible
a few lines below.

In details, fw.len and sw.len are inputs coming from io. A len
over the size of self->rpc triggers SOOB. The patch fixes the
bugs by adding sanity checks.

The bugs are triggerable with compromised/malfunctioning devices.
They are potentially exploitable given they first leak up to
0xffff bytes and able to overwrite the region later.

The patch is tested with QEMU emulater.
This is NOT tested with a real device.

Attached is the log we found by fuzzing.

BUG: KASAN: slab-out-of-bounds in
	hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
Read of size 4 at addr ffff888016260b08 by task modprobe/213
CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1
Call Trace:
 dump_stack+0x76/0xa0
 print_address_description.constprop.0+0x16/0x200
 ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
 ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
 __kasan_report.cold+0x37/0x7c
 ? aq_hw_read_reg_bit+0x60/0x70 [atlantic]
 ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
 kasan_report+0xe/0x20
 hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
 hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic]
 hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic]
 hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic]
 ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic]
 ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic]
 hw_atl_utils_initfw+0x12a/0x1c8 [atlantic]
 aq_nic_ndev_register+0x88/0x650 [atlantic]
 ? aq_nic_ndev_init+0x235/0x3c0 [atlantic]
 aq_pci_probe+0x731/0x9b0 [atlantic]
 ? aq_pci_func_init+0xc0/0xc0 [atlantic]
 local_pci_probe+0xd3/0x160
 pci_device_probe+0x23f/0x3e0

Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-11-15 14:02:22 +00:00
..
3com ethernet: replace netdev->dev_addr 16bit writes 2021-10-14 09:22:27 -07:00
8390 ethernet: 8390: remove direct netdev->dev_addr writes 2021-10-09 11:46:57 +01:00
actions ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
adaptec ethernet: adaptec: use eth_hw_addr_set() 2021-10-16 08:53:45 +01:00
aeroflex ethernet: aeroflex: use eth_hw_addr_set() 2021-10-16 08:53:45 +01:00
agere ethernet: use eth_hw_addr_set() instead of ether_addr_copy() 2021-10-02 14:18:25 +01:00
alacritech ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
allwinner ethernet: use of_get_ethdev_address() 2021-10-07 13:39:51 +01:00
alteon ethernet: alteon: use eth_hw_addr_set() 2021-10-16 08:53:46 +01:00
altera ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
amazon ethernet: use eth_hw_addr_set() instead of ether_addr_copy() 2021-10-02 14:18:25 +01:00
amd Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-11-01 20:05:14 -07:00
apm ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
apple ethernet: replace netdev->dev_addr assignment loops 2021-10-14 09:22:25 -07:00
aquantia atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait 2021-11-15 14:02:22 +00:00
arc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-14 16:50:14 -07:00
asix ax88796c: fix ioctl callback 2021-11-05 14:23:21 +00:00
atheros net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
broadcom net: bnx2x: fix variable dereferenced before check 2021-11-15 13:28:49 +00:00
brocade ethernet: Remove redundant 'flush_workqueue()' calls 2021-10-10 11:33:15 +01:00
cadence net: macb: Fix mdio child node detection 2021-10-27 17:12:18 -07:00
calxeda ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
cavium net: liquidio: Make use of the helper macro kthread_run() 2021-10-22 11:10:10 -07:00
chelsio Networking fixes for 5.16-rc1, including fixes from bpf, can 2021-11-11 09:49:36 -08:00
cirrus ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
cisco ethernet: enic: use eth_hw_addr_set() 2021-10-16 08:53:46 +01:00
cortina ethernet: make use of eth_hw_addr_random() where appropriate 2021-10-14 09:22:15 -07:00
davicom ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
dec net: tulip: winbond-840: fix build for UML 2021-10-14 19:18:53 -07:00
dlink ethernet: replace netdev->dev_addr 16bit writes 2021-10-14 09:22:27 -07:00
emulex ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
ezchip ethernet: use of_get_ethdev_address() 2021-10-07 13:39:51 +01:00
faraday ethernet: make more use of device_get_ethdev_address() 2021-10-07 13:39:51 +01:00
freescale net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
fujitsu ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
google gve: fix unmatched u64_stats_update_end() 2021-11-10 14:42:25 +00:00
hisilicon Networking fixes for 5.16-rc1, including fixes from bpf, can 2021-11-11 09:49:36 -08:00
huawei net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
i825xx ethernet: replace netdev->dev_addr assignment loops 2021-10-14 09:22:25 -07:00
ibm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-11-01 20:05:14 -07:00
intel ice: Fix race conditions between virtchnl handling and VF ndo ops 2021-11-03 08:16:32 -07:00
litex litex_liteeth: Fix a double free in the remove function 2021-11-07 21:51:17 +00:00
marvell Networking fixes for 5.16-rc1, including fixes from bpf, can 2021-11-11 09:49:36 -08:00
mediatek ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
mellanox Networking fixes for 5.16-rc1, including fixes from bpf, can 2021-11-11 09:49:36 -08:00
micrel ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
microchip net: ethernet: microchip: lan743x: Increase rx ring size to improve rx performance 2021-10-29 13:30:20 +01:00
microsoft net: mana: Fix spelling mistake "calledd" -> "called" 2021-11-09 19:16:55 -08:00
moxa ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
mscc net: mscc: ocelot: serialize access to the MAC table 2021-10-25 12:59:41 +01:00
myricom ethernet: replace netdev->dev_addr assignment loops 2021-10-14 09:22:25 -07:00
natsemi ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
neterion Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-14 16:50:14 -07:00
netronome pci-v5.16-changes 2021-11-06 14:36:12 -07:00
ni ethernet: use eth_hw_addr_set() instead of ether_addr_copy() 2021-10-02 14:18:25 +01:00
nvidia ethernet: forcedeth: remove direct netdev->dev_addr writes 2021-10-09 11:46:56 +01:00
nxp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00
oki-semi ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
packetengines ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
pasemi ethernet: manually convert memcpy(dev_addr,..., sizeof(addr)) 2021-10-14 09:22:19 -07:00
pensando net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
qlogic RDMA v5.16 merge window pull request 2021-11-03 08:05:59 -07:00
qualcomm ethernet: make use of eth_hw_addr_random() where appropriate 2021-10-14 09:22:15 -07:00
rdc ethernet: replace netdev->dev_addr 16bit writes 2021-10-14 09:22:27 -07:00
realtek Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00
renesas ethernet: renesas: use eth_hw_addr_set() 2021-10-19 12:41:47 +01:00
rocker ethernet: rocker: use eth_hw_addr_set() 2021-10-19 12:41:47 +01:00
samsung ethernet: sxgbe: use eth_hw_addr_set() 2021-10-19 12:41:48 +01:00
seeq ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
sfc sfc: use swap() to make code cleaner 2021-11-05 10:14:38 +00:00
sgi ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
silan ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
sis ethernet: sis900: fix indentation 2021-11-12 20:13:28 -08:00
smsc ethernet: smsc: use eth_hw_addr_set() 2021-10-19 12:41:48 +01:00
socionext ethernet: netsec: use eth_hw_addr_set() 2021-10-20 11:41:01 +01:00
stmicro net: stmmac: allow a tc-taprio base-time of zero 2021-11-10 14:32:15 +00:00
sun ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
synopsys ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
tehuti ethernet: tehuti: use eth_hw_addr_set() 2021-10-20 11:41:01 +01:00
ti net: ethernet: ti: cpsw_ale: Fix access to un-initialized memory 2021-11-10 14:33:04 +00:00
toshiba ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
tundra
via ethernet: via-velocity: use eth_hw_addr_set() 2021-10-20 11:41:01 +01:00
wiznet net: w5100: Make w5100_remove() return void 2021-10-18 12:59:12 +01:00
xilinx net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
xircom ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
xscale net: ethernet: ixp4xx: Make use of dma_pool_zalloc() instead of dma_pool_alloc/memset() 2021-10-19 13:24:26 +01:00
dnet.c ethernet: manually convert memcpy(dev_addr,..., sizeof(addr)) 2021-10-14 09:22:19 -07:00
dnet.h
ec_bhf.c ethernet: ec_bhf: use eth_hw_addr_set() 2021-10-16 08:53:46 +01:00
ethoc.c ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
fealnx.c ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
jme.c ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
jme.h
Kconfig net: ax88796c: ASIX AX88796C SPI Ethernet Adapter Driver 2021-10-21 16:28:41 -07:00
korina.c ethernet: use of_get_ethdev_address() 2021-10-07 13:39:51 +01:00
lantiq_etop.c net: ethernet: lantiq_etop: Fix compilation error 2021-11-10 14:39:54 +00:00
lantiq_xrx200.c net: lantiq_xrx200: Hardcode the burst length value 2021-10-29 12:15:35 +01:00
Makefile net: ax88796c: ASIX AX88796C SPI Ethernet Adapter Driver 2021-10-21 16:28:41 -07:00