Resolve stack overflow risks for algqos api. Invalid parameter checking is
added. And simplify some code.
changes v1->v2:
- modify a comment.
changes v2->v3:
- document the stack overflow cause.
Kai Ye (3):
crypto: hisilicon/qm - increase the memory of local variables
crypto: hisilicon/qm - add pci bdf number check
crypto: hisilicon/qm - delete redundancy check
drivers/crypto/hisilicon/qm.c | 43 +++++++++++------------------------
1 file changed, 13 insertions(+), 30 deletions(-)
--
2.17.1
Increase the buffer to prevent stack overflow by fuzz test. The maximum
length of the qos configuration buffer is 256 bytes. Currently, the value
of the 'val buffer' is only 32 bytes. The sscanf does not check the dest
memory length. So the 'val buffer' may stack overflow.
Signed-off-by: Kai Ye <[email protected]>
---
drivers/crypto/hisilicon/qm.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
index e3edb176d976..5d79e9f0e7e1 100644
--- a/drivers/crypto/hisilicon/qm.c
+++ b/drivers/crypto/hisilicon/qm.c
@@ -250,7 +250,6 @@
#define QM_QOS_MIN_CIR_B 100
#define QM_QOS_MAX_CIR_U 6
#define QM_QOS_MAX_CIR_S 11
-#define QM_QOS_VAL_MAX_LEN 32
#define QM_DFX_BASE 0x0100000
#define QM_DFX_STATE1 0x0104000
#define QM_DFX_STATE2 0x01040C8
@@ -4612,7 +4611,7 @@ static ssize_t qm_get_qos_value(struct hisi_qm *qm, const char *buf,
unsigned int *fun_index)
{
char tbuf_bdf[QM_DBG_READ_LEN] = {0};
- char val_buf[QM_QOS_VAL_MAX_LEN] = {0};
+ char val_buf[QM_DBG_READ_LEN] = {0};
u32 tmp1, device, function;
int ret, bus;
--
2.17.1
The pci bdf number check is added for qos written by using the pci api.
Directly get the devfn by pci_dev, so delete some redundant code.
And use the kstrtoul instead of sscanf to simplify code.
Signed-off-by: Kai Ye <[email protected]>
---
drivers/crypto/hisilicon/qm.c | 37 ++++++++++++-----------------------
1 file changed, 12 insertions(+), 25 deletions(-)
diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
index 5d79e9f0e7e1..80eeb966cf89 100644
--- a/drivers/crypto/hisilicon/qm.c
+++ b/drivers/crypto/hisilicon/qm.c
@@ -4589,49 +4589,36 @@ static ssize_t qm_algqos_read(struct file *filp, char __user *buf,
return ret;
}
-static ssize_t qm_qos_value_init(const char *buf, unsigned long *val)
-{
- int buflen = strlen(buf);
- int ret, i;
-
- for (i = 0; i < buflen; i++) {
- if (!isdigit(buf[i]))
- return -EINVAL;
- }
-
- ret = sscanf(buf, "%lu", val);
- if (ret != QM_QOS_VAL_NUM)
- return -EINVAL;
-
- return 0;
-}
-
static ssize_t qm_get_qos_value(struct hisi_qm *qm, const char *buf,
unsigned long *val,
unsigned int *fun_index)
{
+ struct bus_type *bus_type = qm->pdev->dev.bus;
char tbuf_bdf[QM_DBG_READ_LEN] = {0};
char val_buf[QM_DBG_READ_LEN] = {0};
- u32 tmp1, device, function;
- int ret, bus;
+ struct pci_dev *pdev;
+ struct device *dev;
+ int ret;
ret = sscanf(buf, "%s %s", tbuf_bdf, val_buf);
if (ret != QM_QOS_PARAM_NUM)
return -EINVAL;
- ret = qm_qos_value_init(val_buf, val);
+ ret = kstrtoul(val_buf, 10, val);
if (ret || *val == 0 || *val > QM_QOS_MAX_VAL) {
pci_err(qm->pdev, "input qos value is error, please set 1~1000!\n");
return -EINVAL;
}
- ret = sscanf(tbuf_bdf, "%u:%x:%u.%u", &tmp1, &bus, &device, &function);
- if (ret != QM_QOS_BDF_PARAM_NUM) {
- pci_err(qm->pdev, "input pci bdf value is error!\n");
- return -EINVAL;
+ dev = bus_find_device_by_name(bus_type, NULL, tbuf_bdf);
+ if (!dev) {
+ pci_err(qm->pdev, "input pci bdf number is error!\n");
+ return -ENODEV;
}
- *fun_index = PCI_DEVFN(device, function);
+ pdev = container_of(dev, struct pci_dev, dev);
+
+ *fun_index = pdev->devfn;
return 0;
}
--
2.17.1
On Sat, Oct 22, 2022 at 01:17:43AM +0000, Kai Ye wrote:
> Resolve stack overflow risks for algqos api. Invalid parameter checking is
> added. And simplify some code.
>
> changes v1->v2:
> - modify a comment.
> changes v2->v3:
> - document the stack overflow cause.
>
> Kai Ye (3):
> crypto: hisilicon/qm - increase the memory of local variables
> crypto: hisilicon/qm - add pci bdf number check
> crypto: hisilicon/qm - delete redundancy check
>
> drivers/crypto/hisilicon/qm.c | 43 +++++++++++------------------------
> 1 file changed, 13 insertions(+), 30 deletions(-)
>
> --
> 2.17.1
All applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt