From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Tue, 4 Sep 2018 07:37:33 -0700
Subject: nfp: validate rtsym accesses fall within the symbol
Patch-mainline: v4.20-rc1
Git-commit: e84b2f2db2eaf025fb5bcec7223b749a9554174a
References: bsc#1109837
With the accesses to rtsyms now all going via special helpers
we can easily make sure the driver is not reading past the
end of the symbol.
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Francois H. Theron <francois.theron@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_rtsym.c | 48 +++++++++++++++--
1 file changed, 45 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_rtsym.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_rtsym.c
@@ -39,6 +39,8 @@
* Espen Skoglund <espen.skoglund@netronome.com>
* Francois H. Theron <francois.theron@netronome.com>
*/
+
+#include <asm/unaligned.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/slab.h>
@@ -285,15 +287,23 @@ nfp_rtsym_to_dest(struct nfp_cpp *cpp, c
int __nfp_rtsym_read(struct nfp_cpp *cpp, const struct nfp_rtsym *sym,
u8 action, u8 token, u64 off, void *buf, size_t len)
{
+ u64 sym_size = nfp_rtsym_size(sym);
u32 cpp_id;
u64 addr;
int err;
+ if (off > sym_size) {
+ nfp_err(cpp, "rtsym '%s': read out of bounds: off: %lld + len: %zd > size: %lld\n",
+ sym->name, off, len, sym_size);
+ return -ENXIO;
+ }
+ len = min_t(size_t, len, sym_size - off);
+
if (sym->type == NFP_RTSYM_TYPE_ABS) {
- __le64 tmp = cpu_to_le64(sym->addr);
+ u8 tmp[8];
- len = min(len, sizeof(tmp));
- memcpy(buf, &tmp, len);
+ put_unaligned_le64(sym->addr, tmp);
+ memcpy(buf, &tmp[off], len);
return len;
}
@@ -318,6 +328,12 @@ int __nfp_rtsym_readl(struct nfp_cpp *cp
u64 addr;
int err;
+ if (off + 4 > nfp_rtsym_size(sym)) {
+ nfp_err(cpp, "rtsym '%s': readl out of bounds: off: %lld + 4 > size: %lld\n",
+ sym->name, off, nfp_rtsym_size(sym));
+ return -ENXIO;
+ }
+
err = nfp_rtsym_to_dest(cpp, sym, action, token, off, &cpp_id, &addr);
if (err)
return err;
@@ -338,6 +354,12 @@ int __nfp_rtsym_readq(struct nfp_cpp *cp
u64 addr;
int err;
+ if (off + 8 > nfp_rtsym_size(sym)) {
+ nfp_err(cpp, "rtsym '%s': readq out of bounds: off: %lld + 8 > size: %lld\n",
+ sym->name, off, nfp_rtsym_size(sym));
+ return -ENXIO;
+ }
+
if (sym->type == NFP_RTSYM_TYPE_ABS) {
*value = sym->addr;
return 0;
@@ -359,10 +381,18 @@ int nfp_rtsym_readq(struct nfp_cpp *cpp,
int __nfp_rtsym_write(struct nfp_cpp *cpp, const struct nfp_rtsym *sym,
u8 action, u8 token, u64 off, void *buf, size_t len)
{
+ u64 sym_size = nfp_rtsym_size(sym);
u32 cpp_id;
u64 addr;
int err;
+ if (off > sym_size) {
+ nfp_err(cpp, "rtsym '%s': write out of bounds: off: %lld + len: %zd > size: %lld\n",
+ sym->name, off, len, sym_size);
+ return -ENXIO;
+ }
+ len = min_t(size_t, len, sym_size - off);
+
err = nfp_rtsym_to_dest(cpp, sym, action, token, off, &cpp_id, &addr);
if (err)
return err;
@@ -383,6 +413,12 @@ int __nfp_rtsym_writel(struct nfp_cpp *c
u64 addr;
int err;
+ if (off + 4 > nfp_rtsym_size(sym)) {
+ nfp_err(cpp, "rtsym '%s': writel out of bounds: off: %lld + 4 > size: %lld\n",
+ sym->name, off, nfp_rtsym_size(sym));
+ return -ENXIO;
+ }
+
err = nfp_rtsym_to_dest(cpp, sym, action, token, off, &cpp_id, &addr);
if (err)
return err;
@@ -403,6 +439,12 @@ int __nfp_rtsym_writeq(struct nfp_cpp *c
u64 addr;
int err;
+ if (off + 8 > nfp_rtsym_size(sym)) {
+ nfp_err(cpp, "rtsym '%s': writeq out of bounds: off: %lld + 8 > size: %lld\n",
+ sym->name, off, nfp_rtsym_size(sym));
+ return -ENXIO;
+ }
+
err = nfp_rtsym_to_dest(cpp, sym, action, token, off, &cpp_id, &addr);
if (err)
return err;