Re: net: thunderx: Buffer overwrite on bgx_probe

From: Sunil Kovvuri
Date: Thu Aug 03 2017 - 03:34:09 EST


On Wed, Aug 2, 2017 at 10:29 PM, Anton Vasilyev <vasilyev@xxxxxxxxx> wrote:
> Hello.
>
> While searching for memory errors in Linux kernel I've come across
> drivers/net/ethernet/cavium/thunder/thunder_bgx.ko module.
>
> I've found buffer overwrite at bgx_probe():
> Consider device PCI_SUBSYS_DEVID_83XX_BGX.
> max_bgx_per_node is set to 4 by set_max_bgx_per_node().
> Then on branch:
> pci_read_config_word(pdev, PCI_DEVICE_ID, &sdevid);
> if (sdevid != PCI_DEVICE_ID_THUNDER_RGX) {
> bgx->bgx_id = (pci_resource_start(pdev,
> PCI_CFG_REG_BAR_NUM) >> 24) & BGX_ID_MASK;
> bgx->bgx_id += nic_get_node_id(pdev) * max_bgx_per_node;
>
> bgx->bgx_id could achieve value 3 + 3 * 4 = 15,

No, this will never be the case, the maximum no of NUMA nodes supported
on these platforms is 2, so the bgx_id will never go beyond 7.
And the platform 83XX taken as an example deosn't support NUMA, it's only
88XX which supports NUMA and maximum no of BGX supported on that is only 2.


> which lead to buffer overwrite on
> bgx_vnic[bgx->bgx_id] = bgx;
>
> Question: is it enough for fix to change bgx_vnic's size?
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> --
> Anton Vasilyev
> Linux Verification Center, ISPRAS
> web: http://linuxtesting.org
> e-mail: vasilyev@xxxxxxxxx
>
>
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Thanks,
Sunil.