Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp5646426ybx; Sun, 10 Nov 2019 18:10:03 -0800 (PST) X-Google-Smtp-Source: APXvYqxkZabzJ0nVmq3gEaytsWRaxdlf5eCIUDHmTFzbjdYlGN9qhvm9GoZgy8hstT3plXtxUGGS X-Received: by 2002:a50:875e:: with SMTP id 30mr24233974edv.45.1573438203494; Sun, 10 Nov 2019 18:10:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573438203; cv=none; d=google.com; s=arc-20160816; b=mEPT5dtj6ltIAvGv/Qk7fWZ/T49AJ8rS2f1LWOEhcNp1TIkZ9gXmviXxthvqWEblay iowjuJcxxH6EGjLd14KGz4KAUD5gaUzqzNmncu7XNP8+7XxfzFCpPhOL8xBuoF8MjWpQ fqOypq43WNrBWiz3ywZmHndnLVIsNauQgF9nFhIfoFKkpbFgLaYlclWzUO94cQi7LoHm yKoABIwwt/6SluAU7zKUlv1/feCLC/Cb1pDrjTcCEEW+x0Q6TNcak7kE25NMGjQYcar8 DrRUPGpYdih13/VHfnFQOrqT9XWNl8xmGfKT6Qpgw7pKIovuFM84Hj29IKxW4k+8vPsj YuBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=mLqAkz70hewUh0ervFoHBTqLrYQB2WZOJWKpk5nNfrg=; b=o/PhMlEZ66iYEcpKbFeO7Un5IveFOtzn04LWPglr4N1xqSzdrm6h2XDp4z/acKcwTu AFrYGoGoZx0FTf9iHKQ/j5EH7z4XJcoZ/Rb9qNMtxW/q6UJ9wpzJemHvfiVterR5I3EW mqwyj3/9QYlTivgH20wemFZwb8zeuS/pu3HzBCpAPXl2L8u7sEOiEct/ZebGRf6ooOl3 UkjmirCusoyFIdA8ODYUixUSyTa6yLORbjULhi6qqr3XQ/oWsjkK060YNTshHyIRhGcu oI9DhZrKf+H6mcY7I2epgHwv/RfvbqCGuZsHqElI7dqw2bE+Xo6x0deZwlJ29IC5imun HPLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lixom-net.20150623.gappssmtp.com header.s=20150623 header.b=rcaBkwKY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z33si9866750edb.183.2019.11.10.18.09.38; Sun, 10 Nov 2019 18:10:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@lixom-net.20150623.gappssmtp.com header.s=20150623 header.b=rcaBkwKY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726763AbfKKCJH (ORCPT + 99 others); Sun, 10 Nov 2019 21:09:07 -0500 Received: from mail-pl1-f195.google.com ([209.85.214.195]:45799 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726734AbfKKCJG (ORCPT ); Sun, 10 Nov 2019 21:09:06 -0500 Received: by mail-pl1-f195.google.com with SMTP id y24so7125124plr.12 for ; Sun, 10 Nov 2019 18:09:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lixom-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=mLqAkz70hewUh0ervFoHBTqLrYQB2WZOJWKpk5nNfrg=; b=rcaBkwKYAToxzArAvww28gCqGZfidxO3QYt/jFAvGWn9MhImb4AYSzfp4Lir8kmOsV BYduc0ZgPbJ3cKOHemco5N9ZqWrvgiQPNu0T/hT4Ya8e+EbGFGfiI2u0JSKmaS47Rz33 Dl8JSsg3Cv0Mys0jSJEWhqHzZ5aW3RN0AsN8HZTOdIr3hHN4xUBeQ3X+i4pIbrT7uu4N NaZErLNWNhd7VqZBhpyS2KAf80A4i26UMsd4eEIOEE8Vk7PGhNVYJaFF7YgkF913Bvwe ar+5Q71+2B2FDPvkhVp9O7kNw97mBRzQfVBPDV5/r4jJLdroZoOfXHbS2hYEoX7fNOgz nqPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=mLqAkz70hewUh0ervFoHBTqLrYQB2WZOJWKpk5nNfrg=; b=inlo6kuBBtHRTGmUDiyT48nlIoZPJ0y/+mWsU3c6S0EYCx8Ux5PsMibMtOFQKTKoCF AP2y/YDW+Btp8Ua/4lcSl6FIo3j6m3BOSuH2HRTlWtAbH2+OHmT36D3EYrbOcVLN5fin ShXlDC1ydmj3/eFKZNATAF4aiG4RizCuv0y7WDsNpmntKSN+PokCi8tDRug/X/bTsyuQ iWKavzw5dyB9Om7Qk3hTqKN02LVJyomRLWuk9/Se5Los5JPdAypZ7+9RDzBYI1x5XelM /ECQpFPzJPgQGEk3MpPMjU63DkSTcS2gA1DgV5haLTpckmCxOxjhSc1voqnCgmRmiykE iHxg== X-Gm-Message-State: APjAAAUM24vfypDppWGVdxXqrjpVPmDfBDt29zYcbKecFhIzbGrk7lJ0 YWcu0IircUBQbbuI1h4xe+arMw== X-Received: by 2002:a17:902:8345:: with SMTP id z5mr14689283pln.113.1573438145806; Sun, 10 Nov 2019 18:09:05 -0800 (PST) Received: from rip.lixom.net (99-152-116-91.lightspeed.sntcca.sbcglobal.net. [99.152.116.91]) by smtp.gmail.com with ESMTPSA id 83sm12166618pgh.86.2019.11.10.18.09.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Nov 2019 18:09:04 -0800 (PST) From: Olof Johansson To: Michael Chan , "David S . Miller" Cc: Venkat Duvvuru , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Olof Johansson Subject: [PATCH] net: bnxt_en: Fix array overrun in bnxt_fill_l2_rewrite_fields() Date: Sun, 10 Nov 2019 18:08:55 -0800 Message-Id: <20191111020855.20775-1-olof@lixom.net> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is caused by what seems to be a fragile typing approach by the Broadcom firmware/driver: /* FW expects smac to be in u16 array format */ So the driver uses eth_addr and eth_addr_mask as u16[6] instead of u8[12], so the math in bnxt_fill_l2_rewrite_fields does a [6] deref of the u16 pointer, it goes out of bounds on the array. Just a few lines below, they use ETH_ALEN/2, so this must have been overlooked. I'm surprised original developers didn't notice the compiler warnings?! Fixes: 90f906243bf6 ("bnxt_en: Add support for L2 rewrite") Signed-off-by: Olof Johansson --- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c index 174412a55e53c..cde2b81f6fe54 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c @@ -149,29 +149,32 @@ static void bnxt_set_l2_key_mask(u32 part_key, u32 part_mask, static int bnxt_fill_l2_rewrite_fields(struct bnxt_tc_actions *actions, - u16 *eth_addr, u16 *eth_addr_mask) + u8 *eth_addr, u8 *eth_addr_mask) { u16 *p; + u8 *am; int j; if (unlikely(bnxt_eth_addr_key_mask_invalid(eth_addr, eth_addr_mask))) return -EINVAL; - if (!is_wildcard(ð_addr_mask[0], ETH_ALEN)) { - if (!is_exactmatch(ð_addr_mask[0], ETH_ALEN)) + am = eth_addr_mask; + if (!is_wildcard(am, ETH_ALEN)) { + if (!is_exactmatch(am, ETH_ALEN)) return -EINVAL; /* FW expects dmac to be in u16 array format */ - p = eth_addr; - for (j = 0; j < 3; j++) + p = (u16 *)am; + for (j = 0; j < ETH_ALEN / 2; j++) actions->l2_rewrite_dmac[j] = cpu_to_be16(*(p + j)); } - if (!is_wildcard(ð_addr_mask[ETH_ALEN], ETH_ALEN)) { - if (!is_exactmatch(ð_addr_mask[ETH_ALEN], ETH_ALEN)) + am = eth_addr_mask + ETH_ALEN; + if (!is_wildcard(am, ETH_ALEN)) { + if (!is_exactmatch(am, ETH_ALEN)) return -EINVAL; /* FW expects smac to be in u16 array format */ - p = ð_addr[ETH_ALEN / 2]; - for (j = 0; j < 3; j++) + p = (u16 *)am; + for (j = 0; j < ETH_ALEN / 2; j++) actions->l2_rewrite_smac[j] = cpu_to_be16(*(p + j)); } @@ -285,12 +288,12 @@ static int bnxt_tc_parse_actions(struct bnxt *bp, * smac (6 bytes) if rewrite of both is specified, otherwise either * dmac or smac */ - u16 eth_addr_mask[ETH_ALEN] = { 0 }; + u8 eth_addr_mask[ETH_ALEN * 2] = { 0 }; /* Used to store the L2 rewrite key for dmac (6 bytes) followed by * smac (6 bytes) if rewrite of both is specified, otherwise either * dmac or smac */ - u16 eth_addr[ETH_ALEN] = { 0 }; + u8 eth_addr[ETH_ALEN * 2] = { 0 }; struct flow_action_entry *act; int i, rc; -- 2.11.0