Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3232918imu; Sat, 24 Nov 2018 00:41:38 -0800 (PST) X-Google-Smtp-Source: AJdET5dtWra5UENA+/43PO9LrKYDErs2r7xGSJMjiBJuM4hthEdS43lZXEzmzAxzQ4ET76mKhZsX X-Received: by 2002:a62:16d6:: with SMTP id 205mr19350069pfw.256.1543048898099; Sat, 24 Nov 2018 00:41:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543048898; cv=none; d=google.com; s=arc-20160816; b=ohStlQtHHR+8265tOgmsXRMp/IUHow0/ZZ9LBXreNVxB/VqMak1UC8VxtrDgRnW8y4 nENsaFF1k5W9pHtPx3aHr0cUXiwxVXw4b/ioUb0rP4he3xua43PJuEpeji9/W1JxDAtt e5Cm9sPJpQUyeXWRSxWx2JhaOmNn7PILbHzjW5L52KJvjACaAsTifJfg4Ik4znyQyAt9 URsWFCYr9k16Ig4d9O4ov/5rWczQ6O+3R4ioVh2fO2ixX955+wtDTO7e/tEZ4hEM0m1x chmfyLOI3rJfNlSFP0bc75R5qwmoj+QZ6xr2M6dsGrfYQdAh0PJrT6GucNjoVYQo/M9J Pfmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=8C9xX1Bzs5i2bcMwb9eUom0MqYtwFNVGZAf4YDnhz/4=; b=Pin02m+V21CxAKF0ZeowtEtiFZjCxWUoh24WeB8JYd8ptWwsW5yrqoRI2iOvl62Vi+ vxOqsLXrPIDsbbBf9Ddov+KzhKnSdzDRqRHaUhlzNCuh0PeXGUrYj5/9APrugxzgnFb3 clkjQB3gt4ivft4dwKbLE0MArFSFJzCU1bJj9awuHjuTL0Ku530Bc1uy9ir7Ymh0dTaD /v8GkKRPZXhs+/9cZjIFiNBDpLkrvea+7udC7gFDW+hDcXWYqFUN8Ntzi276hZ51dqjf LhTgfkPMbVCeo+sRQi+71Pj7lrRfCOE/q8TUTjWVBbeRdb02GqaMesw68qP0pYkc8sEf UiQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m8si14811672pgd.555.2018.11.24.00.41.23; Sat, 24 Nov 2018 00:41:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2632847AbeKXCz1 (ORCPT + 99 others); Fri, 23 Nov 2018 21:55:27 -0500 Received: from relay.sw.ru ([185.231.240.75]:47852 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390927AbeKXCz1 (ORCPT ); Fri, 23 Nov 2018 21:55:27 -0500 Received: from [10.94.4.83] (helo=finist-ce7.sw.ru) by relay.sw.ru with esmtp (Exim 4.91) (envelope-from ) id 1gQE2I-0003fC-CB; Fri, 23 Nov 2018 19:10:30 +0300 From: Konstantin Khorenko To: Jeff Kirsher Cc: Konstantin Khorenko , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, intel-wired-lan@lists.osuosl.org, "David S . Miller" Subject: [PATCH 0/1] drivers/i40iw: out of bound access in i40iw_net_event() Date: Fri, 23 Nov 2018 19:10:27 +0300 Message-Id: <20181123161028.22633-1-khorenko@virtuozzo.com> X-Mailer: git-send-email 2.15.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Running debug kernel on a node with infiniband card, got a KASan complain: ================================================================== BUG: KASAN: slab-out-of-bounds in i40iw_copy_ip_ntohl+0x1c0/0x220 Read of size 4 at addr ffff88852d477380 by task swapper/6/0 CPU: 6 PID: 0 Comm: swapper/6 Not tainted 4.20.0-rc3-00087-gc8ce94b8fe53-dirty #15 Hardware name: DEPO Computers Super Server/X10DRL-i, BIOS 2.0b 05/05/2017 Call Trace: dump_stack+0x92/0xeb print_address_description+0x6a/0x280 kasan_report+0x260/0x380 i40iw_copy_ip_ntohl+0x1c0/0x220 i40iw_net_event+0x150/0x200 notifier_call_chain+0x90/0x160 atomic_notifier_call_chain+0x6c/0x100 neigh_update+0x82f/0x15c0 neigh_event_ns+0x4c/0xe0 arp_process+0x1733/0x1f60 __netif_receive_skb_one_core+0xe6/0x150 netif_receive_skb_internal+0xe5/0x4c0 napi_gro_receive+0x2d1/0x3b0 i40e_clean_rx_irq+0x9a5/0x2eb0 i40e_napi_poll+0x11fd/0x2410 net_rx_action+0x62f/0xbf0 __do_softirq+0x256/0x9de irq_exit+0x29b/0x2d0 do_IRQ+0x87/0x1a0 common_interrupt+0xf/0xf Allocated by task 0: kasan_kmalloc+0xa0/0xd0 __kmalloc+0x177/0x390 __neigh_create+0x1e3/0x1820 neigh_event_ns+0x6b/0xe0 arp_process+0x1733/0x1f60 __netif_receive_skb_one_core+0xe6/0x150 netif_receive_skb_internal+0xe5/0x4c0 napi_gro_receive+0x2d1/0x3b0 i40e_clean_rx_irq+0x9a5/0x2eb0 i40e_napi_poll+0x11fd/0x2410 net_rx_action+0x62f/0xbf0 __do_softirq+0x256/0x9de Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88852d477080 to the cache kmalloc-1k of size 1024 The buggy address is located 768 bytes inside of 1024-byte region [ffff88852d477080, ffff88852d477480) The buggy address belongs to the page: page:ffffea0014b51c00 count:1 mapcount:0 mapping:ffff888107c0ea00 index:0x0 compound_mapcount: 0 flags: 0x17ffffc0010200(slab|head) raw: 0017ffffc0010200 dead000000000100 dead000000000200 ffff888107c0ea00 raw: 0000000000000000 00000000801c001c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88852d477280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88852d477300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88852d477380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88852d477400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88852d477480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== The complain is valid: i40iw_net_event() reads unconditionally 16 bytes from neigh->primary_key while the memory allocated for "neighbour" struct is evaluated in neigh_alloc() as tbl->entry_size + dev->neigh_priv_len where "dev" is a net_device. But the driver does not setup dev->neigh_priv_len and we read beyond the neigh entry allocated memory, so the patch in the next mail fixes this. More debug details: crash> list net_device.dev_list -H 0xffffffffa908ec88 -s net_device.name -s net_device.neigh_priv_len ffff88065a92a200 name = "lo\000\000\000\000\000\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff880642340000 name = "eno1\000\000\071:00.0\000\000\000" neigh_priv_len = 0 ffff88064aa6a200 name = "enp6s0f0\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff880641180000 name = "eno2\000\000a:00.0\000\000\000" neigh_priv_len = 0 ffff88063e8fd500 name = "enp6s0f1\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff880031400000 name = "ens11f0\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff88063c800000 name = "ens11f1\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff8808ff4ea100 name = "bond0\000\000\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff88101e334400 name = "ib0\000\000\000\000\000\000\000\000\000\000\000\000" neigh_priv_len = 200 ========================================= crash> list i40iw_handler.list -H i40iw_handlers ffff88004bbc0000 ldev.netdev == 0xffff88063e8fd500 struct net_device { name = "enp6s0f1\000\000\000\000\000\000\000", ffff881049120000 ldev.netdev == 0xffff88064aa6a200 struct net_device { name = "enp6s0f0\000\000\000\000\000\000\000", ========================================= net_device allocation stack: alloc_netdev_mqs alloc_etherdev_mq i40e_config_netdev i40e_vsi_setup i40e_setup_pf_switch i40e_probe ========================================= After the patch: crash> list net_device.dev_list -H 0xffffffff92a19b48 -s net_device.name -s net_device.neigh_priv_len ffff88065a2dc400 name = "lo\000\000\000\000\000\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff8808fb6dc200 name = "bond0\000\000\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff880652600000 name = "ens11f0\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff880651a00000 name = "ens11f1\000\000\000\000\000\000\000\000" neigh_priv_len = 0 ffff880651454000 name = "eno1\000\000\071:00.0\000\000\000" neigh_priv_len = 0 ffff880651550000 name = "eno2\000\000a:00.0\000\000\000" neigh_priv_len = 0 ffff8806515cc400 name = "enp6s0f0\000\000\000\000\000\000\000" neigh_priv_len = 16 ffff880650932200 name = "enp6s0f1\000\000\000\000\000\000\000" neigh_priv_len = 16 ffff880642903300 name = "ib0\000\000\000\000\000\000\000\000\000\000\000\000" neigh_priv_len = 200 ========================================= Konstantin Khorenko (1): drivers/net/i40e: define proper net_device::neigh_priv_len drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.15.1