Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751754AbdHCHeF (ORCPT <rfc822;w@1wt.eu>);
        Thu, 3 Aug 2017 03:34:05 -0400
Received: from mail-wm0-f65.google.com ([74.125.82.65]:34157 "EHLO
        mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751032AbdHCHeD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Aug 2017 03:34:03 -0400
MIME-Version: 1.0
In-Reply-To: <86a1b4d9-db67-4380-13c9-f759d2e05ed9@ispras.ru>
References: <86a1b4d9-db67-4380-13c9-f759d2e05ed9@ispras.ru>
From: Sunil Kovvuri <sunil.kovvuri@gmail.com>
Date: Thu, 3 Aug 2017 13:04:01 +0530
Message-ID: <CA+sq2CeQB0OSNadQNd5oofmmsNsHtinShe2OZhGBGk6sU5xYkQ@mail.gmail.com>
Subject: Re: net: thunderx: Buffer overwrite on bgx_probe
To: Anton Vasilyev <vasilyev@ispras.ru>
Cc: Sunil Goutham <sgoutham@cavium.com>, ldv-project@linuxtesting.org,
        Linux Netdev List <netdev@vger.kernel.org>,
        Robert Richter <rric@kernel.org>, LKML <linux-kernel@vger.kernel.org>,
        LAKML <linux-arm-kernel@lists.infradead.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1536
Lines: 45

On Wed, Aug 2, 2017 at 10:29 PM, Anton Vasilyev <vasilyev@ispras.ru> wrote:
> Hello.
>
> While searching for memory errors in Linux kernel I've come across
> drivers/net/ethernet/cavium/thunder/thunder_bgx.ko module.
>
> I've found buffer overwrite at bgx_probe():
> Consider device PCI_SUBSYS_DEVID_83XX_BGX.
> max_bgx_per_node is set to 4 by set_max_bgx_per_node().
> Then on branch:
>     pci_read_config_word(pdev, PCI_DEVICE_ID, &sdevid);
>     if (sdevid != PCI_DEVICE_ID_THUNDER_RGX) {
>         bgx->bgx_id = (pci_resource_start(pdev,
>             PCI_CFG_REG_BAR_NUM) >> 24) & BGX_ID_MASK;
>         bgx->bgx_id += nic_get_node_id(pdev) * max_bgx_per_node;
>
> bgx->bgx_id could achieve value 3 + 3 * 4 = 15,

No, this will never be the case, the maximum no of NUMA nodes supported
on these platforms is 2, so the bgx_id will never go beyond 7.
And the platform 83XX taken as an example deosn't support NUMA, it's only
88XX which supports NUMA  and maximum no of BGX supported on that is only 2.


> which lead to buffer overwrite on
>         bgx_vnic[bgx->bgx_id] = bgx;
>
> Question: is it enough for fix to change bgx_vnic's size?
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> --
> Anton Vasilyev
> Linux Verification Center, ISPRAS
> web: http://linuxtesting.org
> e-mail: vasilyev@ispras.ru
>
>
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Thanks,
Sunil.