Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
From:   Eli Cohen <elic@nvidia.com>
To:     Dan Carpenter <dan.carpenter@oracle.com>,
        "Michael S. Tsirkin" <mst@redhat.com>, Eli Cohen <eli@mellanox.com>
CC:     Jason Wang <jasowang@redhat.com>,
        Parav Pandit <parav@mellanox.com>,
        "virtualization@lists.linux-foundation.org" 
        <virtualization@lists.linux-foundation.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "kernel-janitors@vger.kernel.org" <kernel-janitors@vger.kernel.org>
Subject: RE: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config()
Thread-Topic: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config()
Thread-Index: AQHWbWcyWw0bb6Lnek2A2pEcJ9pvpakvUneg
Date:   Sun, 9 Aug 2020 06:34:04 +0000
Message-ID: <BN8PR12MB3425E1FCC3E20A04182640D2AB470@BN8PR12MB3425.namprd12.prod.outlook.com>
References: <20200808093241.GB115053@mwanda>
In-Reply-To: <20200808093241.GB115053@mwanda>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e9b411e5-a3d3-4eb5-1dc9-08d83c2e363c
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2020 06:34:04.7347
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xKtrZLQUyCRpvh4/onRH/KLIqia6rW8EXhlyIB1w7mPbMWrCqWgGiV7on11Ap/Ck
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR12MB3396
X-OriginatorOrg: Nvidia.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1;
        t=1596954833; bh=JjBF71yuXPGgTlGLNv2OC/udHBQVF+GJ8wR4qNmXefY=;
        h=X-PGP-Universal:ARC-Seal:ARC-Message-Signature:
         ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:
         Thread-Index:Date:Message-ID:References:In-Reply-To:
         Accept-Language:Content-Language:X-MS-Has-Attach:
         X-MS-TNEF-Correlator:authentication-results:x-originating-ip:
         x-ms-publictraffictype:x-ms-office365-filtering-correlation-id:
         x-ms-traffictypediagnostic:x-microsoft-antispam-prvs:
         x-ms-exchange-transport-forked:x-ms-oob-tlc-oobclassifiers:
         x-ms-exchange-senderadcheck:x-microsoft-antispam:
         x-microsoft-antispam-message-info:x-forefront-antispam-report:
         x-ms-exchange-antispam-messagedata:Content-Type:
         Content-Transfer-Encoding:MIME-Version:
         X-MS-Exchange-CrossTenant-AuthAs:
         X-MS-Exchange-CrossTenant-AuthSource:
         X-MS-Exchange-CrossTenant-Network-Message-Id:
         X-MS-Exchange-CrossTenant-originalarrivaltime:
         X-MS-Exchange-CrossTenant-fromentityheader:
         X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype:
         X-MS-Exchange-CrossTenant-userprincipalname:
         X-MS-Exchange-Transport-CrossTenantHeadersStamped:X-OriginatorOrg;
        b=J26KKMJKFcDx6r29xLENW2XLcWSK6WzgYiM0svxj/J1SJAMfXXGVTEb6I/j1VDs25
         lXRQOiQ6+6lycWvKogGOcpiBZedCA10sXv2rwc0lLH9gGIgIRC6EHqUe9wuSih+Agi
         NgA/OYtpFXK+kwqidSc9MDpN8JDvmsczFLBG7VUDyaZlQF462IjXwqPkJS9v05TXuR
         3rDqrj0DSKbkqr9o/eqQCp5/wJXvh+s2yNClXpsbumywLh8JOh9v+rfuJ4hGWO4Szr
         nKgpGUAS4C6T9qpHJEDoYvjtaWH6HNrcbVWVpahGhmEiwrWZ5zXfkz5gU15Qyw4iG3
         o/6jgnTC0Aamg==
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Acked-by: Eli Cohen <elic@nvidia.com>

BTW, vdpa_sim has the same bug.

-----Original Message-----
From: Dan Carpenter <dan.carpenter@oracle.com>=20
Sent: Saturday, August 8, 2020 12:33 PM
To: Michael S. Tsirkin <mst@redhat.com>; Eli Cohen <eli@mellanox.com>
Cc: Jason Wang <jasowang@redhat.com>; Parav Pandit <parav@mellanox.com>; vi=
rtualization@lists.linux-foundation.org; linux-kernel@vger.kernel.org; kern=
el-janitors@vger.kernel.org
Subject: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config()

There is a pointer math bug here so if "offset" is non-zero then this will =
copy memory from beyond the end of the array.

Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices=
")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5=
_vnet.c
index 3ec44a4f0e45..9d1637cf772e 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1758,7 +1758,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device *=
vdev, unsigned int offset,
 	struct mlx5_vdpa_net *ndev =3D to_mlx5_vdpa_ndev(mvdev);
=20
 	if (offset + len < sizeof(struct virtio_net_config))
-		memcpy(buf, &ndev->config + offset, len);
+		memcpy(buf, (u8 *)&ndev->config + offset, len);
 }
=20
 static void mlx5_vdpa_set_config(struct vdpa_device *vdev, unsigned int of=
fset, const void *buf,
--
2.27.0