[PATCH] net/hinic: fix the problem that out-of-bounds access

From: Shaozhengchao shaozhengchao@huawei.com

driver inclusion category: bugfix bugzilla: 4472

-----------------------------------------------------------------------

Fix the problem that out-of-bounds access caused by user input In order to solve the problem, restrictions are imposed on each input which is done in kernel driver.

Signed-off-by: Shaozhengchao shaozhengchao@huawei.com Reviewed-by: Luoshaokai luoshaokai@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/net/ethernet/huawei/hinic/hinic_nictool.c | 18 ++++++++++++++++++ drivers/net/ethernet/huawei/hinic/hinic_nictool.h | 2 ++ drivers/net/ethernet/huawei/hinic/hinic_sml_counter.c | 16 +++++++++++++--- 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/huawei/hinic/hinic_nictool.c b/drivers/net/ethernet/huawei/hinic/hinic_nictool.c index 46dd9ec..df01088 100644 --- a/drivers/net/ethernet/huawei/hinic/hinic_nictool.c +++ b/drivers/net/ethernet/huawei/hinic/hinic_nictool.c @@ -1712,6 +1712,19 @@ static u32 get_up_timeout_val(enum hinic_mod_type mod, u8 cmd) return UP_COMP_TIME_OUT_VAL; }

+static int check_useparam_valid(struct msg_module *nt_msg, void *buf_in) +{ + struct csr_write_st *csr_write_msg = (struct csr_write_st *)buf_in; + u32 rd_len = csr_write_msg->rd_len; + + if (rd_len > TOOL_COUNTER_MAX_LEN) { + pr_err("Csr read or write len is invalid!\n"); + return -EINVAL; + } + + return 0; +} + static int send_to_up(void *hwdev, struct msg_module *nt_msg, void *buf_in, u32 in_size, void *buf_out, u32 *out_size) { @@ -1744,6 +1757,9 @@ static int send_to_up(void *hwdev, struct msg_module *nt_msg, }

} else if (nt_msg->up_cmd.up_db.up_api_type == API_CHAIN) { + if (check_useparam_valid(nt_msg, buf_in)) + return -EINVAL; + if (nt_msg->up_cmd.up_db.chipif_cmd == API_CSR_WRITE) { ret = api_csr_write(hwdev, nt_msg, buf_in, in_size, buf_out, out_size); @@ -1994,6 +2010,8 @@ static int get_all_chip_id_cmd(struct msg_module *nt_msg) { struct nic_card_id card_id;

+ memset(&card_id, 0, sizeof(card_id)); + hinic_get_all_chip_id((void *)&card_id);

if (copy_to_user(nt_msg->out_buf, &card_id, sizeof(card_id))) { diff --git a/drivers/net/ethernet/huawei/hinic/hinic_nictool.h b/drivers/net/ethernet/huawei/hinic/hinic_nictool.h index cfbe435..e8eccaf 100644 --- a/drivers/net/ethernet/huawei/hinic/hinic_nictool.h +++ b/drivers/net/ethernet/huawei/hinic/hinic_nictool.h @@ -285,4 +285,6 @@ struct hinic_pf_info { extern void hinic_get_io_stats(struct hinic_nic_dev *nic_dev, struct hinic_show_item *items);

+#define TOOL_COUNTER_MAX_LEN 512 + #endif diff --git a/drivers/net/ethernet/huawei/hinic/hinic_sml_counter.c b/drivers/net/ethernet/huawei/hinic/hinic_sml_counter.c index 9536adf..eb35df6 100644 --- a/drivers/net/ethernet/huawei/hinic/hinic_sml_counter.c +++ b/drivers/net/ethernet/huawei/hinic/hinic_sml_counter.c @@ -253,9 +253,19 @@ int hinic_sm_ctr_rd64_pair(void *hwdev, u8 node, u8 instance, ctr_rd_rsp_u rsp; int ret;

- if (!hwdev || (0 != (ctr_id & 0x1)) || !value1 || !value2) { - pr_err("Hwdev(0x%p) or value1(0x%p) or value2(0x%p) is NULL or ctr_id(%d) is odd number\n", - hwdev, value1, value2, ctr_id); + if (!value1) { + pr_err("value1 is NULL for read 64 bit pair\n"); + return -EFAULT; + } + + if (!value2) { + pr_err("value2 is NULL for read 64 bit pair\n"); + return -EFAULT; + } + + if (!hwdev || (0 != (ctr_id & 0x1))) { + pr_err("Hwdev is NULL or ctr_id(%d) is odd number for read 64 bit pair\n", + ctr_id); return -EFAULT; }