RE: [PATCH] hippi: fix possible buffer overflow caused by bad DMA value in rr_start_xmit()
From: Sunil Kovvuri Goutham
Date: Wed Jun 12 2024 - 13:20:53 EST
>-----Original Message-----
>From: Huai-Yuan Liu <qq810974084@xxxxxxxxx>
>Sent: Wednesday, June 12, 2024 3:02 PM
>To: jes@xxxxxxxxxxxxxxxxxx; davem@xxxxxxxxxxxxx; edumazet@xxxxxxxxxx;
>kuba@xxxxxxxxxx; pabeni@xxxxxxxxxx
>Cc: linux-hippi@xxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
>baijiaju1990@xxxxxxxxx; Huai-Yuan Liu <qq810974084@xxxxxxxxx>
>Subject: [EXTERNAL] [PATCH] hippi: fix possible buffer overflow caused by bad DMA
>value in rr_start_xmit()
>
>The value rrpriv->info->tx_ctrl is stored in DMA memory, and it is assigned to txctrl,
>so txctrl->pi can be modified at any time by malicious hardware. Becausetxctrl->pi is
>assigned to index, buffer overflow may occur when the code
>
>The value rrpriv->info->tx_ctrl is stored in DMA memory, and it is assigned to txctrl,
>so txctrl->pi can be modified at any time by malicious hardware. Becausetxctrl->pi is
>assigned to index, buffer overflow may occur when the code "rrpriv-
>>tx_skbuff[index]" is executed.
>
>To address this issue, the index should be checked.
>
>Fixes: f33a7251c825 ("hippi: switch from 'pci_' to 'dma_' API")
>Signed-off-by: Huai-Yuan Liu <qq810974084@xxxxxxxxx>
>---
LGTM
Reviewed-by: Sunil Goutham <sgoutham@xxxxxxxxxxx>