Received: by 10.213.65.68 with SMTP id h4csp462848imn; Fri, 23 Mar 2018 08:18:52 -0700 (PDT) X-Google-Smtp-Source: AG47ELvFlWTo4kGEcDV1qoyOK7oc0YoPG9elRhkh7hgSWsSEKNptEY9FeNVIyBtxnYeFdwVArVnh X-Received: by 10.99.112.92 with SMTP id a28mr20926479pgn.17.1521818332876; Fri, 23 Mar 2018 08:18:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521818332; cv=none; d=google.com; s=arc-20160816; b=Ojw86y0v1NdMRIEw8IghB7dSQyPiFDTO7OEMWhSRUrlZ4WeA5hTBsfk0pMyxAqXyYg u5xV/JFwXQq1L2HHFItFEpBk6i7pHFioDQfTi1DSZlp3O9qb+Tsucyq5pmUB4SzrNk3Z teLRcYZPhcPUqoAg+SL43KYMK6Wgn4mZamUs7LZs6s7+x03SvuEVunlvPVuwUncFVG9T 8s7g3B5bWGSKkojPQzo9FyZtI9dDc6WXcEHxJNUCWHrv74MwhgFohdTGgpn+u88rxLIl ETlj0v6qBh2O6U9UE0YMdAlkCq0S5S0RKEIxtQ5VeohHjwUM74JbsZoFVx0pZwqHKf+d 61Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from :arc-authentication-results; bh=H8GEyNlvQWa3sw0s7z1T6Nz7M/gWD2jVja20E6qVPtU=; b=JabCC1k5i6F+25yjjgTNQEDQ4ss9LuKIcxIsck7hFT7kd5yKB2DTAsviJ9Y2ZtKEz+ 72AyOal8NZySD6qCDhQ+JQxLX9sph4dKyAJGIloNVioTJ3Eq+d2oZPDeKQYLeNdOtwa3 eYtDq6+ahnXMwy6JvYe0GwQxhTSfCDvVl72WoulGZgAZZ/oLsXdd+MFTxkwk8R9/L2Bu WltGIel2Tl4Oal9KB7PCmpw2OlC+Zm3opfzlcpn9pjRsOhXUqdCPFv/pxX9NjU1ZQ294 Bm2QvOV/xsU+psoDtKbT4AvbJ1o7F0CEWBlSVh/enjKi7Q11ha+EcYUoeGzMU7PNS/3S bRhw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i16-v6si8184551pll.484.2018.03.23.08.18.37; Fri, 23 Mar 2018 08:18:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751812AbeCWPRX (ORCPT + 99 others); Fri, 23 Mar 2018 11:17:23 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43040 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751400AbeCWPRW (ORCPT ); Fri, 23 Mar 2018 11:17:22 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E05C84068051; Fri, 23 Mar 2018 15:17:21 +0000 (UTC) Received: from vitty.brq.redhat.com.redhat.com (ovpn-204-240.brq.redhat.com [10.40.204.240]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2D0C62023233; Fri, 23 Mar 2018 15:17:19 +0000 (UTC) From: Vitaly Kuznetsov To: Haiyang Zhang Cc: davem@davemloft.net, netdev@vger.kernel.org, haiyangz@microsoft.com, kys@microsoft.com, sthemmin@microsoft.com, olaf@aepfle.de, devel@linuxdriverproject.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net-next,2/2] hv_netvsc: Add range checking for rx packet offset and length References: <20180322190114.25596-1-haiyangz@linuxonhyperv.com> <20180322190114.25596-3-haiyangz@linuxonhyperv.com> Date: Fri, 23 Mar 2018 16:17:19 +0100 In-Reply-To: <20180322190114.25596-3-haiyangz@linuxonhyperv.com> (Haiyang Zhang's message of "Thu, 22 Mar 2018 12:01:14 -0700") Message-ID: <87sh8q4y9s.fsf@vitty.brq.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 23 Mar 2018 15:17:21 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 23 Mar 2018 15:17:21 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'vkuznets@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Haiyang Zhang writes: > From: Haiyang Zhang > > This patch adds range checking for rx packet offset and length. > It may only happen if there is a host side bug. > > Signed-off-by: Haiyang Zhang > --- > drivers/net/hyperv/hyperv_net.h | 1 + > drivers/net/hyperv/netvsc.c | 17 +++++++++++++++-- > 2 files changed, 16 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h > index 0db3bd1ea06f..49c05ac894e5 100644 > --- a/drivers/net/hyperv/hyperv_net.h > +++ b/drivers/net/hyperv/hyperv_net.h > @@ -793,6 +793,7 @@ struct netvsc_device { > > /* Receive buffer allocated by us but manages by NetVSP */ > void *recv_buf; > + u32 recv_buf_size; /* allocated bytes */ > u32 recv_buf_gpadl_handle; > u32 recv_section_cnt; > u32 recv_section_size; > diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c > index 1ddb2c39b6e4..a6700d65f206 100644 > --- a/drivers/net/hyperv/netvsc.c > +++ b/drivers/net/hyperv/netvsc.c > @@ -289,6 +289,8 @@ static int netvsc_init_buf(struct hv_device *device, > goto cleanup; > } > > + net_device->recv_buf_size = buf_size; > + > /* > * Establish the gpadl handle for this buffer on this > * channel. Note: This call uses the vmbus connection rather > @@ -1095,11 +1097,22 @@ static int netvsc_receive(struct net_device *ndev, > > /* Each range represents 1 RNDIS pkt that contains 1 ethernet frame */ > for (i = 0; i < count; i++) { > - void *data = recv_buf > - + vmxferpage_packet->ranges[i].byte_offset; > + u32 offset = vmxferpage_packet->ranges[i].byte_offset; > u32 buflen = vmxferpage_packet->ranges[i].byte_count; > + void *data; > int ret; > > + if (unlikely(offset + buflen > net_device->recv_buf_size)) { > + status = NVSP_STAT_FAIL; > + netif_err(net_device_ctx, rx_err, ndev, > + "Packet offset:%u + len:%u too big\n", > + offset, buflen); This shouldn't happen, of course, but I'd rather ratelimit this error or even used something like netdev_WARN_ONCE(). > + > + continue; > + } > + > + data = recv_buf + offset; > + > trace_rndis_recv(ndev, q_idx, data); > > /* Pass it to the upper layer */ -- Vitaly