AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-01-24 01:40:06 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
0f3086868e
linux_dsm_epyc7002/drivers/net/ethernet
History
Stefano Brivio 0f3086868e cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() 
Passing commands for logging to t4_record_mbox() with size
MBOX_LEN, when the actual command size is actually smaller,
causes out-of-bounds stack accesses in t4_record_mbox() while
copying command words here:

	for (i = 0; i < size / 8; i++)
		entry->cmd[i] = be64_to_cpu(cmd[i]);

Up to 48 bytes from the stack are then leaked to debugfs.

This happens whenever we send (and log) commands described by
structs fw_sched_cmd (32 bytes leaked), fw_vi_rxmode_cmd (48),
fw_hello_cmd (48), fw_bye_cmd (48), fw_initialize_cmd (48),
fw_reset_cmd (48), fw_pfvf_cmd (32), fw_eq_eth_cmd (16),
fw_eq_ctrl_cmd (32), fw_eq_ofld_cmd (32), fw_acl_mac_cmd(16),
fw_rss_glb_config_cmd(32), fw_rss_vi_config_cmd(32),
fw_devlog_cmd(32), fw_vi_enable_cmd(48), fw_port_cmd(32),
fw_sched_cmd(32), fw_devlog_cmd(32).

The cxgb4vf driver got this right instead.

When we call t4_record_mbox() to log a command reply, a MBOX_LEN
size can be used though, as get_mbox_rpl() will fill cmd_rpl up
completely.

Fixes: 7f080c3f2f ("cxgb4: Add support to enable logging of firmware mailbox commands")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-28 15:24:23 -07:00
..
3com
8390
adaptec
adi
aeroflex
agere
alacritech
allwinner
alteon
altera
amazon net: ena: update ena driver to version 1.2.0 2017-06-23 14:15:11 -04:00
amd amd-xgbe: fix spelling mistake: "avialable" -> "available" 2017-06-29 15:35:50 -04:00
apm xgene: Always get clk source, but ignore if it's missing for SGMII ports 2017-08-04 11:30:37 -07:00
apple
aquantia
arc
atheros net: atl1c: fix spelling mistake: "droppted" -> "dropped" 2017-06-29 12:24:26 -04:00
aurora net: ethernet: nb8800: Handle all 4 RGMII modes identically 2017-07-25 21:27:01 -07:00
broadcom net: systemport: Free DMA coherent descriptors on errors 2017-08-24 18:23:21 -07:00
brocade
cadence net: macb: Adding Support for Jumbo Frames up to 10240 Bytes in SAMA5D3 2017-07-08 10:39:46 +01:00
calxeda
cavium net: thunderx: Fix BGX transmit stall due to underflow 2017-07-29 14:17:07 -07:00
chelsio cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() 2017-08-28 15:24:23 -07:00
cirrus
cisco cisco: enic: Fic an error handling path in 'vnic_dev_init_devcmd2()' 2017-07-11 10:54:15 -07:00
davicom
dec
dlink
emulex
ezchip
faraday net: ftgmac100: Fix oops in probe on failure to find associated PHY 2017-08-22 14:17:47 -07:00
freescale fsl/man: Inherit parent device and of_node 2017-08-22 16:32:08 -07:00
fujitsu
hisilicon net: hns: add acpi function of xge led control 2017-07-14 08:18:07 -07:00
hp
i825xx
ibm ibmvnic: Initialize SCRQ's during login renegotiation 2017-08-02 10:47:45 -07:00
intel ixgbe: Initialize 64-bit stats seqcounts 2017-08-01 20:06:07 -07:00
marvell net: mvpp2: fix the mac address used when using PPv2.2 2017-08-28 11:24:52 -07:00
mediatek net: ethernet: mediatek: Explicitly include linux/interrupt.h 2017-07-24 13:45:29 -07:00
mellanox mlxsw: spectrum_switchdev: Fix mrouter flag update 2017-08-22 14:22:54 -07:00
micrel
microchip
moxa
myricom
natsemi
neterion
netronome nfp: remove incorrect mask check for vlan matching 2017-08-28 15:20:24 -07:00
nuvoton
nvidia
nxp net: manual clean code which call skb_put_[data:zero] 2017-06-20 13:30:15 -04:00
oki-semi
packetengines net: manual clean code which call skb_put_[data:zero] 2017-06-20 13:30:15 -04:00
pasemi
qlogic qlge: avoid memcpy buffer overflow 2017-08-24 14:00:57 -07:00
qualcomm net: qcom/emac: fix double free of SGMII IRQ during shutdown 2017-07-14 08:55:32 -07:00
rdc
realtek r8169: Be drop monitor friendly 2017-08-25 19:13:27 -07:00
renesas
rocker Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
samsung net: sxgbe: check memory allocation failure 2017-08-25 20:07:07 -07:00
seeq
sfc sfc: don't try and read ef10 data on non-ef10 NIC 2017-08-15 17:19:34 -07:00
sgi ioc3-eth: store pointer to net_device for priviate area 2017-07-15 14:28:56 -07:00
silan
sis
smsc smsc911x: Add check for ioremap_nocache() return code 2017-07-12 14:35:43 -07:00
stmicro net: stmmac: sun8i: Remove the compatibles 2017-08-28 15:22:42 -07:00
sun sunhme: fix up GREG_STAT and GREG_IMASK register offsets 2017-07-31 16:23:05 -07:00
synopsys
tehuti net: tehuti: don't process data if it has not been copied from userspace 2017-07-19 22:48:02 -07:00
ti net: ethernet: ti: cpts: fix fifo read in cpts_find_ts 2017-08-01 15:22:55 -07:00
tile
toshiba net: tc35815: fix spelling mistake: "Intterrupt" -> "Interrupt" 2017-07-29 15:22:08 -07:00
tundra
via
wiznet
xilinx
xircom
xscale
dnet.c
dnet.h
ec_bhf.c
ethoc.c
fealnx.c
jme.c
jme.h
Kconfig
korina.c
lantiq_etop.c
Makefile
netx-eth.c