Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp695653ybg; Mon, 1 Jun 2020 11:55:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzX4sYQYlDwZfviy9ah1jnJiMIciX8NoLYye+dR8NWKGuAR1FzTYl84ioLe8/fZwxTxI5rR X-Received: by 2002:a17:906:254f:: with SMTP id j15mr6112948ejb.162.1591037722090; Mon, 01 Jun 2020 11:55:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591037722; cv=none; d=google.com; s=arc-20160816; b=IDSEu9PiOzvoi66FYCVne5UvmSmF2gN4k7cPO/EZ/RFtd9Oy5ghEbrepruzjWiAxUA z2PxQ2YTfYnhw69W54RS6gix7WN/36CtGFjyD8qTpy+8+nMwNo59GbA1KZL98Z//1ipJ xieWWpCE7c9UaD7/HY25wcI6PtK8q/LXldpW2fNxvehDbSv6hkjcC0oJJfKbWnvw0ajy DTygXKHoClvs3RxWnoi0As/7zrokfHR3of4MykLIcOpiuargf15peSBr5MpHxlDRD/Yr geatCyxws92vczMGX8l5JvvCaZZmKe0fRg2PFYG5QMB1YxjXVpYW8F09lB4DgNaLFXDh 1+xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=hP08PTAvYVgHgIvLYoRA4kY0d54Atog2jmsGTLGHELo=; b=KxeBNkcreeJb/7nOaXDgrrx9wQ4Y6qL/ce/DVtD1e0837s1JKGwVrpFMV9qjeIaggG O3cNJ3+912vptMLMoWW0TMvQPD3szFL/QDS7O7S8hGd/GeD65zy09/PEu5GRa6oW5GCG y2bgy8AkLorYFAcN5q3Cq3ceWBqXKiDfBisxdBQAHDaRrBa3YFHQx3t+cWU3ffB199ij 43EvqLhd+zn4yvIMCx5QabYJS8c/AOLoMnx4AuIaYYuwv/c9/Gup2syEh2niosNSDxD0 AI6XrsR6A0/DzXZrZOgbEPR8G00bs00upXw1PzWfyVw5titYivzQPTgl+DWs8pDmcsWz aROA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c11si167147edw.19.2020.06.01.11.54.58; Mon, 01 Jun 2020 11:55:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730867AbgFASxS (ORCPT + 99 others); Mon, 1 Jun 2020 14:53:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728479AbgFASxQ (ORCPT ); Mon, 1 Jun 2020 14:53:16 -0400 Received: from shards.monkeyblade.net (shards.monkeyblade.net [IPv6:2620:137:e000::1:9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDDB4C061A0E; Mon, 1 Jun 2020 11:53:15 -0700 (PDT) Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 7503E11D53F8B; Mon, 1 Jun 2020 11:53:15 -0700 (PDT) Date: Mon, 01 Jun 2020 11:53:14 -0700 (PDT) Message-Id: <20200601.115314.1252090110544162221.davem@davemloft.net> To: baijiaju1990@gmail.com Cc: doshir@vmware.com, pv-drivers@vmware.com, kuba@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() From: David Miller In-Reply-To: <20200530024150.27308-1-baijiaju1990@gmail.com> References: <20200530024150.27308-1-baijiaju1990@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Mon, 01 Jun 2020 11:53:15 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jia-Ju Bai Date: Sat, 30 May 2020 10:41:50 +0800 > The value adapter->rss_conf is stored in DMA memory, and it is assigned > to rssConf, so rssConf->indTableSize can be modified at anytime by > malicious hardware. Because rssConf->indTableSize is assigned to n, > buffer overflow may occur when the code "rssConf->indTable[n]" is > executed. > > To fix this possible bug, n is checked after being used. > > Signed-off-by: Jia-Ju Bai Applied, thanks.