niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity
linux/drivers/net/ethernet/mellanox/mlx5/core
History
Kees Cook ad5185735f net/mlx5e: Avoid field-overflowing memcpy() 
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.

Use flexible arrays instead of zero-element arrays (which look like they
are always overflowing) and split the cross-field memcpy() into two halves
that can be appropriately bounds-checked by the compiler.

We were doing:

	#define ETH_HLEN  14
	#define VLAN_HLEN  4
	...
	#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)
	...
        struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);
	...
        struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;
        struct mlx5_wqe_data_seg *dseg = wqe->data;
	...
	memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);

target is wqe->eth.inline_hdr.start (which the compiler sees as being
2 bytes in size), but copying 18, intending to write across start
(really vlan_tci, 2 bytes). The remaining 16 bytes get written into
wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr
(8 bytes).

struct mlx5e_tx_wqe {
        struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */
        struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */
        struct mlx5_wqe_data_seg   data[];               /*    32     0 */

        /* size: 32, cachelines: 1, members: 3 */
        /* last cacheline: 32 bytes */
};

struct mlx5_wqe_eth_seg {
        u8                         swp_outer_l4_offset;  /*     0     1 */
        u8                         swp_outer_l3_offset;  /*     1     1 */
        u8                         swp_inner_l4_offset;  /*     2     1 */
        u8                         swp_inner_l3_offset;  /*     3     1 */
        u8                         cs_flags;             /*     4     1 */
        u8                         swp_flags;            /*     5     1 */
        __be16                     mss;                  /*     6     2 */
        __be32                     flow_table_metadata;  /*     8     4 */
        union {
                struct {
                        __be16     sz;                   /*    12     2 */
                        u8         start[2];             /*    14     2 */
                } inline_hdr;                            /*    12     4 */
                struct {
                        __be16     type;                 /*    12     2 */
                        __be16     vlan_tci;             /*    14     2 */
                } insert;                                /*    12     4 */
                __be32             trailer;              /*    12     4 */
        };                                               /*    12     4 */

        /* size: 16, cachelines: 1, members: 9 */
        /* last cacheline: 16 bytes */
};

struct mlx5_wqe_data_seg {
        __be32                     byte_count;           /*     0     4 */
        __be32                     lkey;                 /*     4     4 */
        __be64                     addr;                 /*     8     8 */

        /* size: 16, cachelines: 1, members: 3 */
        /* last cacheline: 16 bytes */
};

So, split the memcpy() so the compiler can reason about the buffer
sizes.

"pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe
nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object
code changes (i.e. only source line number induced differences and
optimizations).

Fixes: b5503b994e ("net/mlx5e: XDP TX forwarding support")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
2022-02-01 20:59:43 -08:00
..
accel net/mlx5: IPsec: make spdxcheck.py happy 2020-09-16 14:34:32 +02:00
diag Merge branch 'mlx5-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux into net-next 2021-10-27 21:33:28 -07:00
en net/mlx5e: Avoid field-overflowing memcpy() 2022-02-01 20:59:43 -08:00
en_accel net/mlx5e: IPsec: Fix tunnel mode crypto offload for non TCP/UDP traffic 2022-02-01 20:59:43 -08:00
esw net/mlx5: Bridge, ensure dev_name is null-terminated 2022-02-01 20:59:39 -08:00
fpga RDMA/mlx5: Replace struct mlx5_core_mkey by u32 key 2021-10-19 14:34:12 +03:00
ipoib net/mlx5e: Use dynamic per-channel allocations in stats 2021-12-21 19:08:57 -08:00
lag net/mlx5e: Don't block routes with nexthop objects in SW 2022-01-06 16:55:40 -08:00
lib net/mlx5: E-Switch, Fix uninitialized variable modact 2022-02-01 20:59:42 -08:00
sf Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-09 17:00:17 -08:00
steering net/mlx5: DR, Ignore modify TTL if device doesn't support it 2021-12-31 00:17:41 -08:00
alloc.c net/mlx5: Use dma device access helper 2020-09-30 21:26:30 -07:00
cmd.c Revert "net/mlx5: Add retry mechanism to the command entry index allocation" 2022-01-06 16:55:42 -08:00
cq.c net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() 2021-11-16 12:20:19 -08:00
debugfs.c net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() 2021-11-16 12:20:19 -08:00
dev.c net/mlx5: CT: Set flow source hint from provided tuple device 2022-01-04 12:12:56 +00:00
devlink.c net/mlx5: Let user configure max_macs generic param 2021-12-21 19:08:55 -08:00
devlink.h net/mlx5: remove the recent devlink params 2021-10-26 10:18:32 -07:00
ecpf.c net/mlx5: Enable host PF HCA after eswitch is initialized 2020-11-26 18:45:03 -08:00
ecpf.h net/mlx5: Enable host PF HCA after eswitch is initialized 2020-11-26 18:45:03 -08:00
en.h net/mlx5e: Avoid field-overflowing memcpy() 2022-02-01 20:59:43 -08:00
en_arfs.c net/mlx5e: Use dynamic per-channel allocations in stats 2021-12-21 19:08:57 -08:00
en_common.c RDMA/mlx5: Replace struct mlx5_core_mkey by u32 key 2021-10-19 14:34:12 +03:00
en_dcbnl.c net/mlx5e: Cleanup safe switch channels API by passing params 2021-04-16 11:48:20 -07:00
en_dim.c
en_ethtool.c net/mlx5e: Refactor set_pflag_cqe_based_moder 2022-01-06 16:22:54 -08:00
en_fs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-22 11:41:16 +01:00
en_fs_ethtool.c net/mlx5e: Rename TIR lro functions to TIR packet merge functions 2021-10-26 19:30:39 -07:00
en_main.c driver core changes for 5.17-rc1 2022-01-12 11:11:34 -08:00
en_rep.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-09 17:00:17 -08:00
en_rep.h net/mlx5: E-Switch, Add ovs internal port mapping to metadata support 2021-10-29 13:53:29 -07:00
en_rx.c net/mlx5e: Fix broken SKB allocation in HW-GRO 2022-02-01 20:59:41 -08:00
en_selftest.c net/mlx5e: loopback test is not supported in switchdev mode 2021-09-24 11:46:55 -07:00
en_stats.c net/mlx5e: Fix build error in fec_set_block_stats() 2022-01-09 16:29:55 -08:00
en_stats.h net/mlx5e: Add HW_GRO statistics 2021-10-26 19:30:41 -07:00
en_tc.c net/mlx5e: Avoid implicit modify hdr for decap drop rule 2022-02-01 20:59:43 -08:00
en_tc.h net/mlx5e: Add goto to tc action infra 2021-12-14 21:29:41 -08:00
en_tx.c net/mlx5e: Use struct_group() for memcpy() region 2022-02-01 20:59:43 -08:00
en_txrx.c net/mlx5e: kTLS, Add resiliency to RX resync failures 2021-04-16 11:48:08 -07:00
eq.c net/mlx5: SF, Use all available cpu for setting cpu affinity 2022-01-06 16:22:52 -08:00
eswitch.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-11-18 13:13:16 -08:00
eswitch.h net/mlx5: Remove the repeated declaration 2021-12-21 19:08:56 -08:00
eswitch_offloads.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-09 17:00:17 -08:00
eswitch_offloads_termtbl.c net/mlx5e: Term table handling of internal port rules 2021-10-29 13:53:31 -07:00
events.c net/mlx5: Fix typo in comments 2021-08-11 11:14:30 -07:00
fs_cmd.c net/mlx5: DR, Add support for UPLINK destination type 2021-12-31 00:17:17 -08:00
fs_cmd.h net/mlx5: Add support to create match definer 2021-10-18 20:18:07 -07:00
fs_core.c net/mlx5: Set SMFS as a default steering mode if device supports it 2021-12-31 00:17:44 -08:00
fs_core.h net/mlx5: Add misc5 flow table match parameters 2021-12-31 00:17:23 -08:00
fs_counters.c net/mlx5: Dynamically resize flow counters query buffer 2021-12-02 16:53:16 -08:00
fs_ft_pool.c net/mlx5: check for allocation failure in mlx5_ft_pool_init() 2021-06-03 13:10:17 -07:00
fs_ft_pool.h net/mlx5: Move chains ft pool to be used by all firmware steering 2021-05-27 11:54:38 -07:00
fw.c net/mlx5: Add SHAMPO caps, HW bits and enumerations 2021-10-26 19:30:39 -07:00
fw_reset.c net/mlx5: Use del_timer_sync in fw reset flow of halting poll 2022-02-01 20:59:40 -08:00
fw_reset.h net/mlx5: Add devlink param enable_remote_dev_reset support 2020-10-09 12:06:53 -07:00
health.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-12-02 11:44:56 -08:00
irq_affinity.c net/mlx5: SF, Use all available cpu for setting cpu affinity 2022-01-06 16:22:52 -08:00
Kconfig mlx5: fix psample_sample_packet link error 2021-12-02 16:53:07 -08:00
main.c net/mlx5: Update log_max_qp value to FW max capability 2022-01-06 16:22:52 -08:00
Makefile net/mlx5: Split irq_pool_affinity logic to new file 2022-01-06 16:22:51 -08:00
mcg.c net/mlx5: Update mcg.c new cmd interface 2020-04-23 21:42:11 +03:00
mlx5_core.h net/mlx5: CT: Set flow source hint from provided tuple device 2022-01-04 12:12:56 +00:00
mlx5_irq.h net/mlx5: SF, Use all available cpu for setting cpu affinity 2022-01-06 16:22:52 -08:00
mr.c RDMA/mlx5: Replace struct mlx5_core_mkey by u32 key 2021-10-19 14:34:12 +03:00
pagealloc.c net/mlx5: Read timeout values from DTOR 2021-10-15 17:37:43 -07:00
pci_irq.c Updates for the interrupt subsystem: 2022-01-13 08:53:45 -08:00
pci_irq.h net/mlx5: SF, Use all available cpu for setting cpu affinity 2022-01-06 16:22:52 -08:00
pd.c net/mlx5: Update pd.c new cmd interface 2020-04-23 21:42:13 +03:00
port.c net/mlx5e: Fix module EEPROM query 2022-02-01 20:59:39 -08:00
qos.c net/mlx5e: Support HTB offload 2021-01-22 20:41:29 -08:00
qos.h net/mlx5e: Support HTB offload 2021-01-22 20:41:29 -08:00
rdma.c net/mlx5: Consider RoCE cap before init RDMA resources 2021-06-09 17:20:04 -07:00
rdma.h
rl.c net/mlx5: Pair mutex_destory with mutex_init for rate limit table 2021-04-02 16:13:06 -07:00
sriov.c net/mlx5: Introduce API for request and release IRQs 2021-06-14 20:57:57 -07:00
transobj.c net/mlx5e: Fix page reclaim for dead peer hairpin 2021-06-09 17:20:03 -07:00
uar.c IB/mlx5: Enable UAR to have DevX UID 2021-09-28 18:31:21 +03:00
vport.c net/mlx5: Check return status first when querying system_image_guid 2021-10-15 17:37:46 -07:00
wq.c net/mlx5: Use order-0 allocations for EQs 2021-03-12 13:07:46 -08:00
wq.h net/mlx5e: Add helper to get the RQ WQE counter 2020-07-02 21:05:18 -07:00