[PATCH openEuler-1.0-LTS] net: amd-xgbe: Fix skb data length underflow - Kernel

4 Jul 2024

From: Shyam Sundar S K Shyam-sundar.S-k@amd.com
mainline inclusion
from mainline-v5.17-rc3
commit 5aac9108a180fc06e28d4e7fb00247ce603b72ee
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72MM
CVE: CVE-2022-48743
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
----------------------------------
There will be BUG_ON() triggered in include/linux/skbuff.h leading to
intermittent kernel panic, when the skb length underflow is detected.
Fix this by dropping the packet if such length underflows are seen
because of inconsistencies in the hardware descriptors.
Fixes: 622c36f143fc ("amd-xgbe: Fix jumbo MTU processing on newer hardware")
Suggested-by: Tom Lendacky thomas.lendacky@amd.com
Signed-off-by: Shyam Sundar S K Shyam-sundar.S-k@amd.com
Acked-by: Tom Lendacky thomas.lendacky@amd.com
Link: https://lore.kernel.org/r/20220127092003.2812745-1-Shyam-sundar.S-k@amd.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
Signed-off-by: Zheng Zucheng zhengzucheng@huawei.com
---
 drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index d96a84a62d78..cdbabd77f2d4 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -2765,6 +2765,14 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
    		buf2_len = xgbe_rx_buf2_len(rdata, packet, len);
    		len += buf2_len;
+			if (buf2_len > rdata->rx.buf.dma_len) {
+				/* Hardware inconsistency within the descriptors
+				 * that has resulted in a length underflow.
+				 */
+				error = 1;
+				goto skip_data;
+			}
+
    		if (!skb) {
    			skb = xgbe_create_skb(pdata, napi, rdata,
    					      buf1_len);
@@ -2794,8 +2802,10 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
    	if (!last || context_next)
    		goto read_again;
-		if (!skb)
+		if (!skb || error) {
+			dev_kfree_skb(skb);
    		goto next_packet;
+		}
/* Be sure we don't exceed the configured MTU */
    	max_len = netdev->mtu + ETH_HLEN;
-- 
2.34.1


    