Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Oct 2014 09:13:04 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 194314] New: [ixgbe] driver makes some dangerous assumptions with struct mbuf sizing with IXGBE_RX_COPY_LEN
Message-ID:  <bug-194314-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194314

            Bug ID: 194314
           Summary: [ixgbe] driver makes some dangerous assumptions with
                    struct mbuf sizing with IXGBE_RX_COPY_LEN
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: ngie@FreeBSD.org

The code in sys/dev/ixgbe/ixgbe.h assumes that MLEN is always > 160, and
doesn't exceed the size of the mbuf. MSIZE is set to 256, so if MHLEN = MSIZE -
sizeof(struct m_hdr) - sizeof(struct pkthdr) < 160, ixgbe will scribble over
the header information in mbufs. Similarly, if IXGBE_RX_COPY_LEN is greater
than the size of the mbuf, it will scribble over other memory, potentially in
the same mbuf chain, or elsewhere.

This optimization needs better bounds checking/handling.

 155 /*
 156  * Used for optimizing small rx mbufs.  Effort is made to keep the copy
 157  * small and aligned for the CPU L1 cache.
 158  * 
 159  * MHLEN is typically 168 bytes, giving us 8-byte alignment.  Getting
 160  * 32 byte alignment needed for the fast bcopy results in 8 bytes being
 161  * wasted.  Getting 64 byte alignment, which _should_ be ideal for
 162  * modern Intel CPUs, results in 40 bytes wasted and a significant drop
 163  * in observed efficiency of the optimization, 97.9% -> 81.8%.
 164  */
 165 #define IXGBE_RX_COPY_LEN       160
 166 #define IXGBE_RX_COPY_ALIGN     (MHLEN - IXGBE_RX_COPY_LEN)

  60  * MLEN is data length in a normal mbuf.
  61  * MHLEN is data length in an mbuf with pktheader.
  62  * MINCLSIZE is a smallest amount of data that should be put into cluster.
  63  */
  64 #define MLEN            ((int)(MSIZE - sizeof(struct m_hdr)))
  65 #define MHLEN           ((int)(MLEN - sizeof(struct pkthdr)))
  66 #define MINCLSIZE       (MHLEN + 1)

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-194314-8>