Received: by 10.213.65.68 with SMTP id h4csp462848imn;
        Fri, 23 Mar 2018 08:18:52 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvFlWTo4kGEcDV1qoyOK7oc0YoPG9elRhkh7hgSWsSEKNptEY9FeNVIyBtxnYeFdwVArVnh
X-Received: by 10.99.112.92 with SMTP id a28mr20926479pgn.17.1521818332876;
        Fri, 23 Mar 2018 08:18:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521818332; cv=none;
        d=google.com; s=arc-20160816;
        b=Ojw86y0v1NdMRIEw8IghB7dSQyPiFDTO7OEMWhSRUrlZ4WeA5hTBsfk0pMyxAqXyYg
         u5xV/JFwXQq1L2HHFItFEpBk6i7pHFioDQfTi1DSZlp3O9qb+Tsucyq5pmUB4SzrNk3Z
         teLRcYZPhcPUqoAg+SL43KYMK6Wgn4mZamUs7LZs6s7+x03SvuEVunlvPVuwUncFVG9T
         8s7g3B5bWGSKkojPQzo9FyZtI9dDc6WXcEHxJNUCWHrv74MwhgFohdTGgpn+u88rxLIl
         ETlj0v6qBh2O6U9UE0YMdAlkCq0S5S0RKEIxtQ5VeohHjwUM74JbsZoFVx0pZwqHKf+d
         61Ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:subject:cc:to:from
         :arc-authentication-results;
        bh=H8GEyNlvQWa3sw0s7z1T6Nz7M/gWD2jVja20E6qVPtU=;
        b=JabCC1k5i6F+25yjjgTNQEDQ4ss9LuKIcxIsck7hFT7kd5yKB2DTAsviJ9Y2ZtKEz+
         72AyOal8NZySD6qCDhQ+JQxLX9sph4dKyAJGIloNVioTJ3Eq+d2oZPDeKQYLeNdOtwa3
         eYtDq6+ahnXMwy6JvYe0GwQxhTSfCDvVl72WoulGZgAZZ/oLsXdd+MFTxkwk8R9/L2Bu
         WltGIel2Tl4Oal9KB7PCmpw2OlC+Zm3opfzlcpn9pjRsOhXUqdCPFv/pxX9NjU1ZQ294
         Bm2QvOV/xsU+psoDtKbT4AvbJ1o7F0CEWBlSVh/enjKi7Q11ha+EcYUoeGzMU7PNS/3S
         bRhw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i16-v6si8184551pll.484.2018.03.23.08.18.37;
        Fri, 23 Mar 2018 08:18:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751812AbeCWPRX (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Fri, 23 Mar 2018 11:17:23 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43040 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751400AbeCWPRW (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Mar 2018 11:17:22 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id E05C84068051;
        Fri, 23 Mar 2018 15:17:21 +0000 (UTC)
Received: from vitty.brq.redhat.com.redhat.com (ovpn-204-240.brq.redhat.com [10.40.204.240])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 2D0C62023233;
        Fri, 23 Mar 2018 15:17:19 +0000 (UTC)
From:   Vitaly Kuznetsov <vkuznets@redhat.com>
To:     Haiyang Zhang <haiyangz@linuxonhyperv.com>
Cc:     davem@davemloft.net, netdev@vger.kernel.org,
        haiyangz@microsoft.com, kys@microsoft.com, sthemmin@microsoft.com,
        olaf@aepfle.de, devel@linuxdriverproject.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next,2/2] hv_netvsc: Add range checking for rx packet offset and length
References: <20180322190114.25596-1-haiyangz@linuxonhyperv.com>
        <20180322190114.25596-3-haiyangz@linuxonhyperv.com>
Date:   Fri, 23 Mar 2018 16:17:19 +0100
In-Reply-To: <20180322190114.25596-3-haiyangz@linuxonhyperv.com> (Haiyang
        Zhang's message of "Thu, 22 Mar 2018 12:01:14 -0700")
Message-ID: <87sh8q4y9s.fsf@vitty.brq.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 23 Mar 2018 15:17:21 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 23 Mar 2018 15:17:21 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'vkuznets@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Haiyang Zhang <haiyangz@linuxonhyperv.com> writes:

> From: Haiyang Zhang <haiyangz@microsoft.com>
>
> This patch adds range checking for rx packet offset and length.
> It may only happen if there is a host side bug.
>
> Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
> ---
>  drivers/net/hyperv/hyperv_net.h |  1 +
>  drivers/net/hyperv/netvsc.c     | 17 +++++++++++++++--
>  2 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
> index 0db3bd1ea06f..49c05ac894e5 100644
> --- a/drivers/net/hyperv/hyperv_net.h
> +++ b/drivers/net/hyperv/hyperv_net.h
> @@ -793,6 +793,7 @@ struct netvsc_device {
>
>  	/* Receive buffer allocated by us but manages by NetVSP */
>  	void *recv_buf;
> +	u32 recv_buf_size; /* allocated bytes */
>  	u32 recv_buf_gpadl_handle;
>  	u32 recv_section_cnt;
>  	u32 recv_section_size;
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index 1ddb2c39b6e4..a6700d65f206 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -289,6 +289,8 @@ static int netvsc_init_buf(struct hv_device *device,
>  		goto cleanup;
>  	}
>
> +	net_device->recv_buf_size = buf_size;
> +
>  	/*
>  	 * Establish the gpadl handle for this buffer on this
>  	 * channel.  Note: This call uses the vmbus connection rather
> @@ -1095,11 +1097,22 @@ static int netvsc_receive(struct net_device *ndev,
>
>  	/* Each range represents 1 RNDIS pkt that contains 1 ethernet frame */
>  	for (i = 0; i < count; i++) {
> -		void *data = recv_buf
> -			+ vmxferpage_packet->ranges[i].byte_offset;
> +		u32 offset = vmxferpage_packet->ranges[i].byte_offset;
>  		u32 buflen = vmxferpage_packet->ranges[i].byte_count;
> +		void *data;
>  		int ret;
>
> +		if (unlikely(offset + buflen > net_device->recv_buf_size)) {
> +			status = NVSP_STAT_FAIL;
> +			netif_err(net_device_ctx, rx_err, ndev,
> +				  "Packet offset:%u + len:%u too big\n",
> +				  offset, buflen);

This shouldn't happen, of course, but I'd rather ratelimit this error or
even used something like netdev_WARN_ONCE().

> +
> +			continue;
> +		}
> +
> +		data = recv_buf + offset;
> +
>  		trace_rndis_recv(ndev, q_idx, data);
>
>  		/* Pass it to the upper layer */

-- 
  Vitaly