From owner-svn-src-head@freebsd.org Fri Nov 30 07:07:12 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4DBAE115A68B; Fri, 30 Nov 2018 07:07:12 +0000 (UTC) (envelope-from arybchik@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DE78570FCA; Fri, 30 Nov 2018 07:07:11 +0000 (UTC) (envelope-from arybchik@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2489F251FC; Fri, 30 Nov 2018 07:07:10 +0000 (UTC) (envelope-from arybchik@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAU77A60082617; Fri, 30 Nov 2018 07:07:10 GMT (envelope-from arybchik@FreeBSD.org) Received: (from arybchik@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAU779Um082614; Fri, 30 Nov 2018 07:07:09 GMT (envelope-from arybchik@FreeBSD.org) Message-Id: <201811300707.wAU779Um082614@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: arybchik set sender to arybchik@FreeBSD.org using -f From: Andrew Rybchenko Date: Fri, 30 Nov 2018 07:07:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r341305 - head/sys/dev/sfxge/common X-SVN-Group: head X-SVN-Commit-Author: arybchik X-SVN-Commit-Paths: head/sys/dev/sfxge/common X-SVN-Commit-Revision: 341305 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: DE78570FCA X-Spamd-Result: default: False [0.65 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_LONG(0.34)[0.335,0]; NEURAL_SPAM_MEDIUM(0.31)[0.312,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_SPAM_SHORT(0.01)[0.005,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2018 07:07:12 -0000 Author: arybchik Date: Fri Nov 30 07:07:09 2018 New Revision: 341305 URL: https://svnweb.freebsd.org/changeset/base/341305 Log: sfxge(4): check buffer size for hash flags The efx_rx_scale_hash_flags_get interface is unsafe, as it does not have an argument for the size of the output buffer used to return the flags. While the only caller currently supplies a sufficiently large buffer, this should be checked at runtime to avoid writing past the end of the buffer. Submitted by: Ivan Malov Sponsored by: Solarflare Communications, Inc. Differential Revision: https://reviews.freebsd.org/D18267 Modified: head/sys/dev/sfxge/common/efx.h head/sys/dev/sfxge/common/efx_annote.h (contents, props changed) head/sys/dev/sfxge/common/efx_rx.c Modified: head/sys/dev/sfxge/common/efx.h ============================================================================== --- head/sys/dev/sfxge/common/efx.h Fri Nov 30 07:06:58 2018 (r341304) +++ head/sys/dev/sfxge/common/efx.h Fri Nov 30 07:07:09 2018 (r341305) @@ -2396,7 +2396,8 @@ extern __checkReturn efx_rc_t efx_rx_scale_hash_flags_get( __in efx_nic_t *enp, __in efx_rx_hash_alg_t hash_alg, - __inout_ecount(EFX_RX_HASH_NFLAGS) unsigned int *flagsp, + __out_ecount_part(max_nflags, *nflagsp) unsigned int *flagsp, + __in unsigned int max_nflags, __out unsigned int *nflagsp); extern __checkReturn efx_rc_t Modified: head/sys/dev/sfxge/common/efx_annote.h ============================================================================== --- head/sys/dev/sfxge/common/efx_annote.h Fri Nov 30 07:06:58 2018 (r341304) +++ head/sys/dev/sfxge/common/efx_annote.h Fri Nov 30 07:07:09 2018 (r341305) @@ -61,6 +61,7 @@ #define __out_opt #define __out_ecount(_n) #define __out_ecount_opt(_n) +#define __out_ecount_part(_n, _l) #define __out_bcount(_n) #define __out_bcount_opt(_n) #define __out_bcount_part(_n, _l) Modified: head/sys/dev/sfxge/common/efx_rx.c ============================================================================== --- head/sys/dev/sfxge/common/efx_rx.c Fri Nov 30 07:06:58 2018 (r341304) +++ head/sys/dev/sfxge/common/efx_rx.c Fri Nov 30 07:07:09 2018 (r341305) @@ -327,13 +327,12 @@ fail1: efx_rx_scale_hash_flags_get( __in efx_nic_t *enp, __in efx_rx_hash_alg_t hash_alg, - __inout_ecount(EFX_RX_HASH_NFLAGS) unsigned int *flagsp, + __out_ecount_part(max_nflags, *nflagsp) unsigned int *flagsp, + __in unsigned int max_nflags, __out unsigned int *nflagsp) { efx_nic_cfg_t *encp = &enp->en_nic_cfg; - boolean_t l4; - boolean_t additional_modes; - unsigned int *entryp = flagsp; + unsigned int nflags = 0; efx_rc_t rc; if (flagsp == NULL || nflagsp == NULL) { @@ -342,56 +341,90 @@ efx_rx_scale_hash_flags_get( } if ((encp->enc_rx_scale_hash_alg_mask & (1U << hash_alg)) == 0) { - *nflagsp = 0; - return 0; + nflags = 0; + goto done; } - l4 = encp->enc_rx_scale_l4_hash_supported; - additional_modes = encp->enc_rx_scale_additional_modes_supported; - -#define LIST_FLAGS(_entryp, _class, _l4_hashing, _additional_modes) \ - do { \ - if (_l4_hashing) { \ - *(_entryp++) = EFX_RX_HASH(_class, 4TUPLE); \ - \ - if (_additional_modes) { \ - *(_entryp++) = \ - EFX_RX_HASH(_class, 2TUPLE_DST); \ - *(_entryp++) = \ - EFX_RX_HASH(_class, 2TUPLE_SRC); \ - } \ - } \ - \ - *(_entryp++) = EFX_RX_HASH(_class, 2TUPLE); \ - \ - if (_additional_modes) { \ - *(_entryp++) = EFX_RX_HASH(_class, 1TUPLE_DST); \ - *(_entryp++) = EFX_RX_HASH(_class, 1TUPLE_SRC); \ - } \ - \ - *(_entryp++) = EFX_RX_HASH(_class, DISABLE); \ - \ - _NOTE(CONSTANTCONDITION) \ + /* Helper to add flags word to flags array without buffer overflow */ +#define INSERT_FLAGS(_flags) \ + do { \ + if (nflags >= max_nflags) { \ + rc = E2BIG; \ + goto fail2; \ + } \ + *(flagsp + nflags) = (_flags); \ + nflags++; \ + \ + _NOTE(CONSTANTCONDITION) \ } while (B_FALSE) - LIST_FLAGS(entryp, IPV4_TCP, l4, additional_modes); - LIST_FLAGS(entryp, IPV6_TCP, l4, additional_modes); + if (encp->enc_rx_scale_l4_hash_supported != B_FALSE) { + INSERT_FLAGS(EFX_RX_HASH(IPV4_TCP, 4TUPLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_TCP, 4TUPLE)); + } - if (additional_modes) { - LIST_FLAGS(entryp, IPV4_UDP, l4, additional_modes); - LIST_FLAGS(entryp, IPV6_UDP, l4, additional_modes); + if ((encp->enc_rx_scale_l4_hash_supported != B_FALSE) && + (encp->enc_rx_scale_additional_modes_supported != B_FALSE)) { + INSERT_FLAGS(EFX_RX_HASH(IPV4_TCP, 2TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV4_TCP, 2TUPLE_SRC)); + + INSERT_FLAGS(EFX_RX_HASH(IPV6_TCP, 2TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_TCP, 2TUPLE_SRC)); + + INSERT_FLAGS(EFX_RX_HASH(IPV4_UDP, 4TUPLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV4_UDP, 2TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV4_UDP, 2TUPLE_SRC)); + + INSERT_FLAGS(EFX_RX_HASH(IPV6_UDP, 4TUPLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_UDP, 2TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_UDP, 2TUPLE_SRC)); } - LIST_FLAGS(entryp, IPV4, B_FALSE, additional_modes); - LIST_FLAGS(entryp, IPV6, B_FALSE, additional_modes); + INSERT_FLAGS(EFX_RX_HASH(IPV4_TCP, 2TUPLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_TCP, 2TUPLE)); -#undef LIST_FLAGS + INSERT_FLAGS(EFX_RX_HASH(IPV4, 2TUPLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6, 2TUPLE)); - *nflagsp = (unsigned int)(entryp - flagsp); - EFSYS_ASSERT3U(*nflagsp, <=, EFX_RX_HASH_NFLAGS); + if (encp->enc_rx_scale_additional_modes_supported != B_FALSE) { + INSERT_FLAGS(EFX_RX_HASH(IPV4_TCP, 1TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV4_TCP, 1TUPLE_SRC)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_TCP, 1TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_TCP, 1TUPLE_SRC)); + + INSERT_FLAGS(EFX_RX_HASH(IPV4_UDP, 2TUPLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV4_UDP, 1TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV4_UDP, 1TUPLE_SRC)); + + INSERT_FLAGS(EFX_RX_HASH(IPV6_UDP, 2TUPLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_UDP, 1TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_UDP, 1TUPLE_SRC)); + + INSERT_FLAGS(EFX_RX_HASH(IPV4, 1TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV4, 1TUPLE_SRC)); + + INSERT_FLAGS(EFX_RX_HASH(IPV6, 1TUPLE_DST)); + INSERT_FLAGS(EFX_RX_HASH(IPV6, 1TUPLE_SRC)); + } + + INSERT_FLAGS(EFX_RX_HASH(IPV4_TCP, DISABLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_TCP, DISABLE)); + + INSERT_FLAGS(EFX_RX_HASH(IPV4_UDP, DISABLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6_UDP, DISABLE)); + + INSERT_FLAGS(EFX_RX_HASH(IPV4, DISABLE)); + INSERT_FLAGS(EFX_RX_HASH(IPV6, DISABLE)); + +#undef INSERT_FLAGS + +done: + *nflagsp = nflags; return (0); +fail2: + EFSYS_PROBE(fail2); fail1: EFSYS_PROBE1(fail1, efx_rc_t, rc); @@ -577,7 +610,8 @@ efx_rx_scale_mode_set( /* * Get the list of supported hash flags and sanitise the input. */ - rc = efx_rx_scale_hash_flags_get(enp, alg, type_flags, &type_nflags); + rc = efx_rx_scale_hash_flags_get(enp, alg, type_flags, + EFX_ARRAY_SIZE(type_flags), &type_nflags); if (rc != 0) goto fail2;