From nobody Fri May 6 19:15:21 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 652D21AB435E for ; Fri, 6 May 2022 19:15:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kw0dQ10fCz4tqr for ; Fri, 6 May 2022 19:15:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F1C2E21A32 for ; Fri, 6 May 2022 19:15:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 246JFLvT028316 for ; Fri, 6 May 2022 19:15:21 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 246JFLNU028315 for bugs@FreeBSD.org; Fri, 6 May 2022 19:15:21 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 263824] [genet] genet driver interface may overwrite memory in a consecutive memory copy operations when parse TX packet Date: Fri, 06 May 2022 19:15:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jiahali@blackberry.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651864522; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4/3h1IPlLjed8OmXALWYU+5cVB+goArdokuP1Xb5xL8=; b=KdpzOPlp9ND0YK37OG5SCG4I1P6RmPZg1WBpsSiNBdTneA+3yWfcLsB4hDT3cs85AOCnmc hPhTlucrCkii2FqSTGB1UltOpq5nmu3w7K3ibkLHTuJnCV+XzP2Q5rnF+SVAj/oCXF2DqY ozhzQ/9mnRZ/4uhIa9lZ7IC4TKjFanH5EjGiB9qw6SFjDshtV7KpxdqsulMi27SrCoEoIv km0+6a7UkUqJeJndGpc4yFwbCxnpp8+RQOz3y+Sg3nI6y99HwexiNxGCxI4ioQ11b04w1a dpUmlqMymjBodV03COwBgYWYJ6oFttJ1ErMehrzEer2VBUeaDmJX//Ux5CqpDA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651864522; a=rsa-sha256; cv=none; b=NzbIdL/X9ksrEM2gb3cUEyvq7bt4VWptWzNCkPbv2O+QSKSMMMyI9RE8s69Pfe4poFRXWg GlcU5NAgoul6oa/XDTdC6kPs0s4/mKBjGWnSJOyfKoxFeAjBz1RQdfhb+rL3QHR5VR8ZuX 4IAQfhwNSmxM9cWw/SSJbpsHBdoQOp+9UCwRE0sBYtMaJ8wglWJiHK0Mf4kzE7WmfRQKyI yd7Qu8lNJxq6u4sxuJZ3/hojNRciPThWQMzdpRgz7uoi0l3VVAkXbMA/bH55hKbwYwR+k1 9aV+MocqN5XJP5/RdpJ4QiUB767ZHRAm7s2ppTc94WUOztTR7wO3Rymgv2VeGA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263824 Bug ID: 263824 Summary: [genet] genet driver interface may overwrite memory in a consecutive memory copy operations when parse TX packet Product: Base System Version: CURRENT Hardware: arm64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: jiahali@blackberry.com if_genet.c beginning line 1247 in function gen_parse_tx() #define COPY(size) { \ int hsize =3D size; \ if (copy) { \ if (shift) { \ u_char *p0; \ shift =3D false; \ p0 =3D mtodo(m0, sizeof(struct statusblock)); \ m0->m_data =3D m0->m_pktdat; \ bcopy(p0, mtodo(m0, sizeof(struct statusblock)),\ m0->m_len - sizeof(struct statusblock)); \ copy_p =3D mtodo(m0, sizeof(struct statusblock)); \ } \ bcopy(p, copy_p, hsize); \ m0->m_len +=3D hsize; \ m0->m_pkthdr.len +=3D hsize; /* unneeded */ \ m->m_len -=3D hsize; \ m->m_data +=3D hsize; \ } \ copy_p +=3D hsize; \ } In mbuf.h line 116, the definition of mtodo() is #define mtodo(m, o) ((void *)(((m)->m_data) + (o))) In genet, the "COPY()" macro function will copy the Link Layer Header and Network Layer Header into a contiguous memory space. There are two memory c= opy operations in the "COPY()" function. The first will be performed if the "sh= ift" variable is set as true. The second memory copy operation is performed whet= her the first memory copy operation is performed or not. The "m0->m_len" is the data length of the original "m0->m_data". "p0" point= s to "m0->m_data + sizeof(statusblock)". The "m0->m_data" will then be changed to point to "m0->m_pktdat".=20 The memory overwrite will occur when the "shift" variable is true and "m0->m_len" is larger than the "sizeof(struct statusblock)".=20 The first "bcopy()" will copy all the contents excepting "statusblock" from= the old "m0->m_data", starting at "p0", to the position starting at "m0->m_data= + sizeof(struct statusblock)". The "copy_p" will be set to point to "m0->m_da= ta + sizeof(struct statusblock)". The second "bcopy()" will copy the contents from "p" to "copy_p" which will overwrite some/all of the contents which are copied at the first copy. Should "copy_p" point to the "m0->m_data + sizeof(struct statusblock) + m0->m_len - sizeof(struct statusblock)" to prevent memory overwrite?=20 - copy_p =3D mtodo(m0, sizeof(struct statusblock)); \ + copy_p =3D mtodo(m0, m0->m_len); \ It is a rare case that only happens when the content of a packet is located= in different mbufs in a mbuf chain. It happens in my development environment w= hen I tried to send a large ping packet, for example "ping -s 2048 .....". --=20 You are receiving this mail because: You are the assignee for the bug.=