| Message ID | 20201118153310.112404-1-parri.andrea@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | hv_netvsc: Validate number of allocated sub-channels | expand |
On Wed, 18 Nov 2020 16:33:10 +0100 Andrea Parri (Microsoft) wrote: > Lack of validation could lead to out-of-bound reads and information > leaks (cf. usage of nvdev->chan_table[]). Check that the number of > allocated sub-channels fits into the expected range. > > Suggested-by: Saruhan Karademir <skarade@microsoft.com> > Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: netdev@vger.kernel.org Acked-by: Jakub Kicinski <kuba@kernel.org>
On Wed, Nov 18, 2020 at 05:37:15PM -0800, Jakub Kicinski wrote: > On Wed, 18 Nov 2020 16:33:10 +0100 Andrea Parri (Microsoft) wrote: > > Lack of validation could lead to out-of-bound reads and information > > leaks (cf. usage of nvdev->chan_table[]). Check that the number of > > allocated sub-channels fits into the expected range. > > > > Suggested-by: Saruhan Karademir <skarade@microsoft.com> > > Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> > > Cc: "David S. Miller" <davem@davemloft.net> > > Cc: Jakub Kicinski <kuba@kernel.org> > > Cc: netdev@vger.kernel.org > > Acked-by: Jakub Kicinski <kuba@kernel.org> Applied to hyperv-next.
From: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Sent: Wednesday, November 18, 2020 7:33 AM > > Lack of validation could lead to out-of-bound reads and information > leaks (cf. usage of nvdev->chan_table[]). Check that the number of > allocated sub-channels fits into the expected range. > > Suggested-by: Saruhan Karademir <skarade@microsoft.com> > Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: netdev@vger.kernel.org > --- > Based on hyperv-next. > > drivers/net/hyperv/rndis_filter.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c > index 3835d9bea1005..c5a709f67870f 100644 > --- a/drivers/net/hyperv/rndis_filter.c > +++ b/drivers/net/hyperv/rndis_filter.c > @@ -1226,6 +1226,11 @@ int rndis_set_subchannel(struct net_device *ndev, > return -EIO; > } > > + /* Check that number of allocated sub channel is within the expected range */ > + if (init_packet->msg.v5_msg.subchn_comp.num_subchannels > nvdev->num_chn - 1) { > + netdev_err(ndev, "invalid number of allocated sub channel\n"); > + return -EINVAL; > + } > nvdev->num_chn = 1 + > init_packet->msg.v5_msg.subchn_comp.num_subchannels; > > -- > 2.25.1 Reviewed-by: Michael Kelley <mikelley@microsoft.com>
diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c index 3835d9bea1005..c5a709f67870f 100644 --- a/drivers/net/hyperv/rndis_filter.c +++ b/drivers/net/hyperv/rndis_filter.c @@ -1226,6 +1226,11 @@ int rndis_set_subchannel(struct net_device *ndev, return -EIO; } + /* Check that number of allocated sub channel is within the expected range */ + if (init_packet->msg.v5_msg.subchn_comp.num_subchannels > nvdev->num_chn - 1) { + netdev_err(ndev, "invalid number of allocated sub channel\n"); + return -EINVAL; + } nvdev->num_chn = 1 + init_packet->msg.v5_msg.subchn_comp.num_subchannels;
Lack of validation could lead to out-of-bound reads and information leaks (cf. usage of nvdev->chan_table[]). Check that the number of allocated sub-channels fits into the expected range. Suggested-by: Saruhan Karademir <skarade@microsoft.com> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: netdev@vger.kernel.org --- Based on hyperv-next. drivers/net/hyperv/rndis_filter.c | 5 +++++ 1 file changed, 5 insertions(+)