Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp678207pxf;
        Wed, 17 Mar 2021 13:13:01 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw9CUn/iA32yxSyUyfRBLB7+QW2nnHIFH0wNPM5dPbRa/nJA2B2vE0szvVzfwxyqNRgsbiG
X-Received: by 2002:aa7:db53:: with SMTP id n19mr45437582edt.330.1616011981196;
        Wed, 17 Mar 2021 13:13:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616011981; cv=none;
        d=google.com; s=arc-20160816;
        b=LtoDhOBz+sgUyrlv7oc3IlPwcM9APtlcSqfJhEeuCbnLhPifkEbOl4ukv9076pt41W
         7+mkrkFX/Zq2EvWo8xV7hL2OadJQDTwffZ70HvIX/knXpHX1Yo5JIjG68AqGJvt+Fn7H
         w0wdWttZ0uuM9DUvRmwgzRV+4+wgGEMpYsE56dM9MNVHkEa7BiWkLepshYsTQfwg8rPQ
         GMYxY9FsR9roOsA8A27ANqHo77D/PDEjcrzwgdysEcXpsJLuAkZaF6BFZ83ET6N67of3
         +NnKroV57Hy/uj7bdWM0lgpXqL3ShHs5x6XpuNx1WkYUdg97WAOae70i0E8uyU5dbkgs
         zPOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=GwuY5Os0hwvThFgmnaX2i5CEbiXkSD9Cnc88LImmE8U=;
        b=AItFJZRsGw92zANl29dNERxGrW3ueqQbNuNqiHQ7RN3P8FeNdZU/eW5+2ZDbzPgMZv
         TTuentkBokCfKLNxgDspa8+8A001axo39FWW55q9tkUvEe/8uq2VWoZB4TqzZ2NS4COc
         ODrqqkOzarpQ0GIEYr1NgJmcSa0v56vrrR+NhXV1OmS6Z5/YdublgfqKyxXhUtqU+8T3
         UXPQBFaZyHzdpjgl5O9le15lhfA1hfx3jky9q1NTs6Xt6JCQalVNYfw/6QgYoEsxexc5
         PGQOWW6rB1GTxvoHEQErmjt6zXbf2ybvMGLxe4aaafZ6Ntc4qX1yzq7EYCygzWZ3vIQR
         6Gow==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ib1EAXSg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z24si16415659ejx.462.2021.03.17.13.12.37;
        Wed, 17 Mar 2021 13:13:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ib1EAXSg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233305AbhCQULh (ORCPT <rfc822;maciejromanfijalkowski@gmail.com>
        + 99 others); Wed, 17 Mar 2021 16:11:37 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44336 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233312AbhCQULB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Mar 2021 16:11:01 -0400
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 54210C061760
        for <linux-kernel@vger.kernel.org>; Wed, 17 Mar 2021 13:11:00 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id m12so851249lfq.10
        for <linux-kernel@vger.kernel.org>; Wed, 17 Mar 2021 13:11:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=GwuY5Os0hwvThFgmnaX2i5CEbiXkSD9Cnc88LImmE8U=;
        b=ib1EAXSgC5DszNXgQNlOZkDzUJYDzPguRpAnO/17t6JQnu6ySfklBaHe4k3kC4o2wC
         abjdNCs4RlVlutyv//RC2MQnHb/R4HezC58AX5kccJuMWt838/NcbpD8jMkrAGdqLX8W
         gyXj0kr6aduMQ7VGrCSYSuPzcuX579VCpDVJoKH2dXUuqc53wE1TBTsZnaL7871AZA1f
         srbM3/iDMdblSN784lxsSDQ7FS0iT9WF3/gtOoFzL+MdgmJ0ygdlnIXrwv5YivVyhpia
         9rTGJ8kyAMcbVqEHmbgOjtzOMIIQIY7Vnb7hyD9HtppttVSk2W1tbUfsk6sOkbrSooDk
         rajw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=GwuY5Os0hwvThFgmnaX2i5CEbiXkSD9Cnc88LImmE8U=;
        b=PLMAZbRUsBTURllxz1llkeyNKbSjdQpLqwxSh6zgANGWhVR3+Uf3OvgYBrpR3i+gOJ
         2Z3xDazpG6xh0dywBDPrBwXrI3euRAVUs4oOqZLwrcM8aFdz2y9p8TSl0z8Tgmnqeudn
         yekkqKCbiqJlNthf6QfLZ1DJf5wLb7cL0atwC0s/hHrF6ThPy5mkzX8aGVs1/Baf4jWd
         a+rliISUt7qUtrT8TnO0WNny9z1jIRzN+gTDxqN6iTgdMv+Ce5k32wW92X/ZFpY0cdxL
         DBovfpJRnbH8bqy0GX8ffWN93CvkjeTAMj2JSujkKfEL2CP5FIH21FHZBcmUnrf1KFGf
         A0Zg==
X-Gm-Message-State: AOAM531jRSguxZlSAo/NREg0csPYOM6VCRrHxH19nkkjykFLYk5biCOK
        zhz/VCITHpGMxOEUwQEpzgkiuLzGwHgT+n7DrXTElA==
X-Received: by 2002:a05:6512:39c2:: with SMTP id k2mr3043146lfu.69.1616011858514;
 Wed, 17 Mar 2021 13:10:58 -0700 (PDT)
MIME-Version: 1.0
References: <20210317064148.GA55123@embeddedor> <CAG48ez2RDqKwx=umOHjo_1mYyNQgzvcP=KOw1HgSo4Prs_VQDw@mail.gmail.com>
 <3bd8d009-2ad2-c24d-5c34-5970c52502de@embeddedor.com> <CAG48ez2jr_8MbY_sNXfwvs7WsF-5f9j=U4-66dTcgXd2msr39A@mail.gmail.com>
 <03c013b8-4ddb-8e9f-af86-3c43cd746dbb@embeddedor.com>
In-Reply-To: <03c013b8-4ddb-8e9f-af86-3c43cd746dbb@embeddedor.com>
From:   Jann Horn <jannh@google.com>
Date:   Wed, 17 Mar 2021 21:10:32 +0100
Message-ID: <CAG48ez1heVw2WRUMrGskUyJV0wH4YfgbF=raFKWXXM7oY1zKDA@mail.gmail.com>
Subject: Re: [Intel-wired-lan] [PATCH][next] ixgbe: Fix out-of-bounds warning
 in ixgbe_host_interface_command()
To:     "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc:     "Gustavo A. R. Silva" <gustavoars@kernel.org>,
        Network Development <netdev@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        intel-wired-lan@lists.osuosl.org, linux-hardening@vger.kernel.org,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 17, 2021 at 9:04 PM Gustavo A. R. Silva
<gustavo@embeddedor.com> wrote:
> On 3/17/21 13:57, Jann Horn wrote:
> >>>> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
> >>>> index 62ddb452f862..bff3dc1af702 100644
> >>>> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
> >>>> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
> >>>> @@ -3679,7 +3679,7 @@ s32 ixgbe_host_interface_command(struct ixgbe_hw *hw, void *buffer,
> >>>>         u32 hdr_size = sizeof(struct ixgbe_hic_hdr);
> >>>>         union {
> >>>>                 struct ixgbe_hic_hdr hdr;
> >>>> -               u32 u32arr[1];
> >>>> +               u32 *u32arr;
> >>>>         } *bp = buffer;
> >>>>         u16 buf_len, dword_len;
> >>>>         s32 status;
> >>>
> >>> This looks bogus. An array is inline, a pointer points elsewhere -
> >>> they're not interchangeable.
> >>
> >> Yep; but in this case these are the only places in the code where _u32arr_ is
> >> being used:
> >>
> >> 3707         /* first pull in the header so we know the buffer length */
> >> 3708         for (bi = 0; bi < dword_len; bi++) {
> >> 3709                 bp->u32arr[bi] = IXGBE_READ_REG_ARRAY(hw, IXGBE_FLEX_MNG, bi);
> >> 3710                 le32_to_cpus(&bp->u32arr[bi]);
> >> 3711         }
> >
> > So now line 3709 means: Read a pointer from bp->u32arr (the value
> > being read from there is not actually a valid pointer), and write to
> > that pointer at offset `bi`. I don't see how that line could execute
> > without crashing.
>
> Yeah; you're right. I see my confusion now. Apparently, there is no escape
> from allocating heap memory to fix this issue, as I was proposing in my
> last email.

Why? Can't you do something like this?

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
index 62ddb452f862..768fa124105b 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
@@ -3677,10 +3677,8 @@ s32 ixgbe_host_interface_command(struct
ixgbe_hw *hw, void *buffer,
                                 bool return_data)
 {
        u32 hdr_size = sizeof(struct ixgbe_hic_hdr);
-       union {
-               struct ixgbe_hic_hdr hdr;
-               u32 u32arr[1];
-       } *bp = buffer;
+       u32 *bp = buffer;
+       struct ixgbe_hic_hdr hdr;
        u16 buf_len, dword_len;
        s32 status;
        u32 bi;
@@ -3706,12 +3704,13 @@ s32 ixgbe_host_interface_command(struct
ixgbe_hw *hw, void *buffer,

        /* first pull in the header so we know the buffer length */
        for (bi = 0; bi < dword_len; bi++) {
-               bp->u32arr[bi] = IXGBE_READ_REG_ARRAY(hw, IXGBE_FLEX_MNG, bi);
-               le32_to_cpus(&bp->u32arr[bi]);
+               bp[bi] = IXGBE_READ_REG_ARRAY(hw, IXGBE_FLEX_MNG, bi);
+               le32_to_cpus(&bp[bi]);
        }

        /* If there is any thing in data position pull it in */
-       buf_len = bp->hdr.buf_len;
+       memcpy(&hdr, bp, sizeof(hdr));
+       buf_len = hdr.buf_len;
        if (!buf_len)
                goto rel_out;

@@ -3726,8 +3725,8 @@ s32 ixgbe_host_interface_command(struct ixgbe_hw
*hw, void *buffer,

        /* Pull in the rest of the buffer (bi is where we left off) */
        for (; bi <= dword_len; bi++) {
-               bp->u32arr[bi] = IXGBE_READ_REG_ARRAY(hw, IXGBE_FLEX_MNG, bi);
-               le32_to_cpus(&bp->u32arr[bi]);
+               bp[bi] = IXGBE_READ_REG_ARRAY(hw, IXGBE_FLEX_MNG, bi);
+               le32_to_cpus(&bp[bi]);
        }

 rel_out: