The function obtain the next buffer without boundary check.
We should return with I/O error code.
The bug is found by fuzzing and the crash report is attached.
It is an OOB bug although reported as use-after-free.
[ 4.804724] BUG: KASAN: use-after-free in aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.805661] Read of size 4 at addr ffff888034fe93a8 by task ksoftirqd/0/9
[ 4.806505]
[ 4.806703] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #34
[ 4.807636] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
[ 4.809030] Call Trace:
[ 4.809343] dump_stack+0x76/0xa0
[ 4.809755] print_address_description.constprop.0+0x16/0x200
[ 4.810455] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.811234] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.813183] __kasan_report.cold+0x37/0x7c
[ 4.813715] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.814393] kasan_report+0xe/0x20
[ 4.814837] aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.815499] ? hw_atl_b0_hw_ring_rx_receive+0x9a5/0xb90 [atlantic]
[ 4.816290] aq_vec_poll+0x179/0x5d0 [atlantic]
[ 4.816870] ? _GLOBAL__sub_I_65535_1_aq_pci_func_init+0x20/0x20 [atlantic]
[ 4.817746] ? __next_timer_interrupt+0xba/0xf0
[ 4.818322] net_rx_action+0x363/0xbd0
[ 4.818803] ? call_timer_fn+0x240/0x240
[ 4.819302] ? __switch_to_asm+0x40/0x70
[ 4.819809] ? napi_busy_loop+0x520/0x520
[ 4.820324] __do_softirq+0x18c/0x634
[ 4.820797] ? takeover_tasklets+0x5f0/0x5f0
[ 4.821343] run_ksoftirqd+0x15/0x20
[ 4.821804] smpboot_thread_fn+0x2f1/0x6b0
[ 4.822331] ? smpboot_unregister_percpu_thread+0x160/0x160
[ 4.823041] ? __kthread_parkme+0x80/0x100
[ 4.823571] ? smpboot_unregister_percpu_thread+0x160/0x160
[ 4.824301] kthread+0x2b5/0x3b0
[ 4.824723] ? kthread_create_on_node+0xd0/0xd0
[ 4.825304] ret_from_fork+0x35/0x40
Signed-off-by: Zekun Shen <[email protected]>
---
drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index 24122ccda614..f915b4885831 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -365,6 +365,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
if (!buff->is_eop) {
buff_ = buff;
do {
+ if (buff_->next >= self->size) {
+ err = -EIO;
+ goto err_exit;
+ }
next_ = buff_->next,
buff_ = &self->buff_ring[next_];
is_rsc_completed =
--
2.23.0.rc1
Hi Zekun,
Thanks for looking into that.
> diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
> b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
> index 24122ccda614..f915b4885831 100644
> --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
> +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
> @@ -365,6 +365,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
> if (!buff->is_eop) {
> buff_ = buff;
> do {
> + if (buff_->next >= self->size) {
> + err = -EIO;
> + goto err_exit;
> + }
> next_ = buff_->next,
> buff_ = &self->buff_ring[next_];
> is_rsc_completed =
>
From code analysis, the only way how ->next could be overflowed - is a
hardware malfunction/data corruption.
Software driver logic can't lead to that field overflow.
I'm not sure how fuzzing can lead to that result.. Do you have any details?
Even if it can, then we should also do a similar check in `if (buff->is_eop)` case below,
since it also uses similar sequence to run through `next` pointers.
Thanks,
Igor
On Mon, Jul 12, 2021 at 06:33:37PM +0200, Igor Russkikh wrote:
> From code analysis, the only way how ->next could be overflowed - is a
> hardware malfunction/data corruption.
Yes. The unchecked index field is within a buffer ring, which I assume is a DMA region.
A faulty or compromised hardware could trigger the OOB bug. Leaving it undetected could
cause memory corruption, so the patch returns with I/O error.
> Software driver logic can't lead to that field overflow.
> I'm not sure how fuzzing can lead to that result.. Do you have any details?
The fuzzer we used is targeting the hardware input vector including MMIO and DMA.
> Even if it can, then we should also do a similar check in `if (buff->is_eop)` case below,
> since it also uses similar sequence to run through `next` pointers.
Thanks for pointing out. That should be checked too.