Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1394486rwb;
        Thu, 8 Dec 2022 10:04:01 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5QaS7Cuyta3lrOudALRtgA3h8t/77Dte+lfkFwG5Wt/K64XcKrRID3FeTXT6s41q3Ov0iX
X-Received: by 2002:a17:906:3a56:b0:7c0:54f2:af97 with SMTP id a22-20020a1709063a5600b007c054f2af97mr32388251ejf.360.1670522641008;
        Thu, 08 Dec 2022 10:04:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670522641; cv=none;
        d=google.com; s=arc-20160816;
        b=S5WB7+cnomDwPEx0fytt4UW00fOzfTPjYgXYGUwQTP6LlpGOx9tbUUg4+OaGRV6DYn
         6AZnLPZFaL8aZccm/PgUptNCwtfoEJ+dbuW1ug5Scox5ugXOw6i/mTylw/juQsRvBqn2
         pyCn/S2Jc3AsZLGti3zNLtIlF5lGMGhXs/E8tY77IXDLBkDuC974dAXtXm1QTjKqbjkH
         LWIZFBGnVu3+nrK+TLTY9O9RghkMKW3x5N9Mn+m2BtFTZM2v1gMVSiYfljutoHu73YZv
         4LlZLjV3DIZH/nNFNWFOmxxRI7m4MwTf8sJYiM+cId9Z4JP/lcQZroAOCpkQ1WbRidL+
         iDUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=/4a+PVkoA8Z92lXYrHGseetNxpkz9UtOHtgVID9mL30=;
        b=BeyiqiEvi5O8rQB5KDbAQhrQtoA7RcwWnSjw6ZUvj27Hv6lrP9PHmYjvXF8l/p3xTN
         bjVCW+RHTEAIKXNGh+DG5RZ3yH+/kI23EwCuI5eNgr2ZGR1KNB2o7SC/D3lVURAefBUp
         OmEeJqO8jcVJu0sdgAxErMb4ItmJLuaPOb7w2sa5QyH6UnP1G0/yja8Kx6/SaLma62Zg
         Nop2GinARYzZXAzwp0aeIKHU3FyUvdBeMQKdM5KClGM2B557/N0i47fTMHHyBHY5ltGy
         CHpMEv7vcfzYE9mII5ovuqE/sHVZDsLBsEIG9FqlVw20BGKu/o+bb53xTM4atOxQidFs
         IBPQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=KklQU3bB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id e20-20020a056402149400b0046bef95b2e6si6213845edv.492.2022.12.08.10.03.43;
        Thu, 08 Dec 2022 10:04:00 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=KklQU3bB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229936AbiLHRWo (ORCPT <rfc822;2014014876lha@gmail.com>
        + 72 others); Thu, 8 Dec 2022 12:22:44 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43190 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229735AbiLHRWl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Dec 2022 12:22:41 -0500
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E70EDEBC;
        Thu,  8 Dec 2022 09:22:36 -0800 (PST)
Received: by mail-ej1-x634.google.com with SMTP id ud5so5653333ejc.4;
        Thu, 08 Dec 2022 09:22:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=/4a+PVkoA8Z92lXYrHGseetNxpkz9UtOHtgVID9mL30=;
        b=KklQU3bBmIM56W2+OvIOr+JxRrN1EA5hMcGjDrgmMs1dl+S9ND/t3sfQTLwXRCY5bV
         cHAUTgjBdQw6NHqIPqg8306QIji3OK66n4MAOsPGkZJQ6RR62bJs4TwJUSt7SeMv2mb9
         hSVXXMJwHqbwYGW/VlvkYHtCAEZ9IPhZZM2LPPmSiFDUfJVS1GPhAy4TO93bYSWaeXdr
         cc5OuRD7WH+u7FcvgHIj3LPhXJ8ww2iPr3suvtgYuPJjqGfOJO44O0TJ6L98Khcd8s6J
         6511g4Pt98ykk6TXU6nt99qUnVeezr/dkQFFkHq48Ug+8SkB38vlqVkVy5N9tsuINMTI
         2GUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/4a+PVkoA8Z92lXYrHGseetNxpkz9UtOHtgVID9mL30=;
        b=WEyoY6Xa6OrxLHgEP3J9aQlhelhJgOLaM59hfMvDX/BLsvgdo2Z+t8R7JxkAfFRr7y
         dMCSF9PtXGrghKViub7NLGmQIK5MVzqYV1Gn9HpK3pqmlkjLQME0MVUe//pG2XsS726L
         6PYWat6z1819yLI5Kv1RvzqWDYC29SURX/fVIihDlTrV7b8kJTkRV8pmrFiI2lZqio5f
         vdUDJoBcud0NgbE4XQdyELaSY7FYZmGqh82MtxA+2v/oygDpEgQh8TVBQSD7DPzTDJnq
         EDh4OpOg0IJtLgt0UlfpvTqcV5UcCnspDRErUdbCy2a0poIrnL4zcQ0KR2mxP3oG39Pk
         O7AA==
X-Gm-Message-State: ANoB5pmmtk8GugH8+dgA+C/Ioomjyl906Y2rlkdSwO6C36rDwxTzCXYv
        VjmRuPZJLXg4kzR+EKCr0uY=
X-Received: by 2002:a17:906:2a0e:b0:7be:9340:b3e6 with SMTP id j14-20020a1709062a0e00b007be9340b3e6mr2837801eje.43.1670520154445;
        Thu, 08 Dec 2022 09:22:34 -0800 (PST)
Received: from skbuf ([188.26.185.87])
        by smtp.gmail.com with ESMTPSA id bv19-20020a170906b1d300b0077016f4c6d4sm9914893ejb.55.2022.12.08.09.22.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Dec 2022 09:22:34 -0800 (PST)
Date:   Thu, 8 Dec 2022 19:22:32 +0200
From:   Vladimir Oltean <olteanv@gmail.com>
To:     "Radu Nicolae Pirea (OSS)" <radu-nicolae.pirea@oss.nxp.com>
Cc:     andrew@lunn.ch, f.fainelli@gmail.com, davem@davemloft.net,
        gregkh@linuxfoundation.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH RESEND v2] net: dsa: sja1105: avoid out of bounds access
 in sja1105_init_l2_policing()
Message-ID: <20221208172232.fldnlue35km76ldt@skbuf>
References: <20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.com>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Dec 07, 2022 at 03:23:47PM +0200, Radu Nicolae Pirea (OSS) wrote:
> The SJA1105 family has 45 L2 policing table entries
> (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110
> (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
> accounting for the difference in port count (5 in SJA1105 vs 10 in
> SJA1110) does not fully explain the difference. Rather, the SJA1110 also
> has L2 ingress policers for multicast traffic. If a packet is classified
> as multicast, it will be processed by the policer index 99 + SRCPORT.
> 
> The sja1105_init_l2_policing() function initializes all L2 policers such
> that they don't interfere with normal packet reception by default. To have
> a common code between SJA1105 and SJA1110, the index of the multicast
> policer for the port is calculated because it's an index that is out of
> bounds for SJA1105 but in bounds for SJA1110, and a bounds check is
> performed.
> 
> The code fails to do the proper thing when determining what to do with the
> multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast"
> index will be equal to 45, which is also equal to
> table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes
> through the check. But at the same time, SJA1105 doesn't have multicast
> policers. So the code programs the SHARINDX field of an out-of-bounds
> element in the L2 Policing table of the static config.
> 
> The comparison between index 45 and 45 entries should have determined the
> code to not access this policer index on SJA1105, since its memory wasn't
> even allocated.
> 
> With enough bad luck, the out-of-bounds write could even overwrite other
> valid kernel data, but in this case, the issue was detected using KASAN.
> 
> Kernel log:
> 
> sja1105 spi5.0: Probed switch chip: SJA1105Q
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
> Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8
> ...
> Workqueue: events_unbound deferred_probe_work_func
> Call trace:
> ...
> sja1105_setup+0x1cbc/0x2340
> dsa_register_switch+0x1284/0x18d0
> sja1105_probe+0x748/0x840
> ...
> Allocated by task 8:
> ...
> sja1105_setup+0x1bcc/0x2340
> dsa_register_switch+0x1284/0x18d0
> sja1105_probe+0x748/0x840
> ...
> 
> Fixes: 38fbe91f2287 ("net: dsa: sja1105: configure the multicast policers, if present")
> CC: stable@vger.kernel.org # 5.15+
> Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
> ---

Reviewed-by: Vladimir Oltean <olteanv@gmail.com>