Lack of validation could lead to out-of-bound reads and information
leaks (cf. usage of nvdev->chan_table[]). Check that the number of
allocated sub-channels fits into the expected range.
Suggested-by: Saruhan Karademir <[email protected]>
Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Jakub Kicinski <[email protected]>
Cc: [email protected]
---
Based on hyperv-next.
drivers/net/hyperv/rndis_filter.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index 3835d9bea1005..c5a709f67870f 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1226,6 +1226,11 @@ int rndis_set_subchannel(struct net_device *ndev,
return -EIO;
}
+ /* Check that number of allocated sub channel is within the expected range */
+ if (init_packet->msg.v5_msg.subchn_comp.num_subchannels > nvdev->num_chn - 1) {
+ netdev_err(ndev, "invalid number of allocated sub channel\n");
+ return -EINVAL;
+ }
nvdev->num_chn = 1 +
init_packet->msg.v5_msg.subchn_comp.num_subchannels;
--
2.25.1
> -----Original Message-----
> From: Andrea Parri (Microsoft) <[email protected]>
> Sent: Wednesday, November 18, 2020 10:33 AM
> To: [email protected]
> Cc: KY Srinivasan <[email protected]>; Haiyang Zhang
> <[email protected]>; Stephen Hemminger
> <[email protected]>; Wei Liu <[email protected]>; linux-
> [email protected]; Michael Kelley <[email protected]>; Juan
> Vazquez <[email protected]>; Saruhan Karademir
> <[email protected]>; Andrea Parri (Microsoft)
> <[email protected]>; David S. Miller <[email protected]>; Jakub
> Kicinski <[email protected]>; [email protected]
> Subject: [PATCH] hv_netvsc: Validate number of allocated sub-channels
>
> Lack of validation could lead to out-of-bound reads and information leaks (cf.
> usage of nvdev->chan_table[]). Check that the number of allocated sub-
> channels fits into the expected range.
>
> Suggested-by: Saruhan Karademir <[email protected]>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Jakub Kicinski <[email protected]>
> Cc: [email protected]
> ---
> Based on hyperv-next.
>
> drivers/net/hyperv/rndis_filter.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/hyperv/rndis_filter.c
> b/drivers/net/hyperv/rndis_filter.c
> index 3835d9bea1005..c5a709f67870f 100644
> --- a/drivers/net/hyperv/rndis_filter.c
> +++ b/drivers/net/hyperv/rndis_filter.c
> @@ -1226,6 +1226,11 @@ int rndis_set_subchannel(struct net_device *ndev,
> return -EIO;
> }
>
> + /* Check that number of allocated sub channel is within the expected
> range */
> + if (init_packet->msg.v5_msg.subchn_comp.num_subchannels >
> nvdev->num_chn - 1) {
> + netdev_err(ndev, "invalid number of allocated sub
> channel\n");
> + return -EINVAL;
> + }
> nvdev->num_chn = 1 +
> init_packet->msg.v5_msg.subchn_comp.num_subchannels;
Reviewed-by: Haiyang Zhang <[email protected]>
Thank you.
On Wed, 18 Nov 2020 16:33:10 +0100 Andrea Parri (Microsoft) wrote:
> Lack of validation could lead to out-of-bound reads and information
> leaks (cf. usage of nvdev->chan_table[]). Check that the number of
> allocated sub-channels fits into the expected range.
>
> Suggested-by: Saruhan Karademir <[email protected]>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Jakub Kicinski <[email protected]>
> Cc: [email protected]
Acked-by: Jakub Kicinski <[email protected]>
On Wed, Nov 18, 2020 at 05:37:15PM -0800, Jakub Kicinski wrote:
> On Wed, 18 Nov 2020 16:33:10 +0100 Andrea Parri (Microsoft) wrote:
> > Lack of validation could lead to out-of-bound reads and information
> > leaks (cf. usage of nvdev->chan_table[]). Check that the number of
> > allocated sub-channels fits into the expected range.
> >
> > Suggested-by: Saruhan Karademir <[email protected]>
> > Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> > Cc: "David S. Miller" <[email protected]>
> > Cc: Jakub Kicinski <[email protected]>
> > Cc: [email protected]
>
> Acked-by: Jakub Kicinski <[email protected]>
Applied to hyperv-next.
From: Andrea Parri (Microsoft) <[email protected]> Sent: Wednesday, November 18, 2020 7:33 AM
>
> Lack of validation could lead to out-of-bound reads and information
> leaks (cf. usage of nvdev->chan_table[]). Check that the number of
> allocated sub-channels fits into the expected range.
>
> Suggested-by: Saruhan Karademir <[email protected]>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Jakub Kicinski <[email protected]>
> Cc: [email protected]
> ---
> Based on hyperv-next.
>
> drivers/net/hyperv/rndis_filter.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
> index 3835d9bea1005..c5a709f67870f 100644
> --- a/drivers/net/hyperv/rndis_filter.c
> +++ b/drivers/net/hyperv/rndis_filter.c
> @@ -1226,6 +1226,11 @@ int rndis_set_subchannel(struct net_device *ndev,
> return -EIO;
> }
>
> + /* Check that number of allocated sub channel is within the expected range */
> + if (init_packet->msg.v5_msg.subchn_comp.num_subchannels > nvdev->num_chn - 1) {
> + netdev_err(ndev, "invalid number of allocated sub channel\n");
> + return -EINVAL;
> + }
> nvdev->num_chn = 1 +
> init_packet->msg.v5_msg.subchn_comp.num_subchannels;
>
> --
> 2.25.1
Reviewed-by: Michael Kelley <[email protected]>