From: Rasesh Mody <Rasesh.Mody@cavium.com>
To: <ferruh.yigit@intel.com>
Cc: Rasesh Mody <Rasesh.Mody@cavium.com>, <dev@dpdk.org>,
<stable@dpdk.org>, <Dept-EngDPDKDev@cavium.com>
Subject: [dpdk-dev] [PATCH v2 6/8] net/qede/base: fix Rx queue access by malicious VFs
Date: Thu, 22 Dec 2016 16:50:02 -0800 [thread overview]
Message-ID: <1482454204-21707-6-git-send-email-Rasesh.Mody@cavium.com> (raw)
In-Reply-To: <eba57a02-fccd-d0e7-f271-421981e11c7d@intel.com>
Rx queue access is still done prior to the index being validated by PF.
Hence move Rx queue and status block validation check before accessing
Rx queue to prevent malicious VFs from using out-of-bound queue indices.
Fixes: 98bc693e1938 ("net/qede/base: change queue start")
Signed-off-by: Rasesh Mody <Rasesh.Mody@cavium.com>
---
drivers/net/qede/base/ecore_sriov.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/qede/base/ecore_sriov.c b/drivers/net/qede/base/ecore_sriov.c
index de54b9a..1255296 100644
--- a/drivers/net/qede/base/ecore_sriov.c
+++ b/drivers/net/qede/base/ecore_sriov.c
@@ -1968,6 +1968,11 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn,
enum _ecore_status_t rc;
req = &mbx->req_virt->start_rxq;
+
+ if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
+ !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
+ goto out;
+
OSAL_MEMSET(&p_params, 0, sizeof(p_params));
p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid;
p_params.vf_qid = req->rx_qid;
@@ -1976,10 +1981,6 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn,
p_params.sb = req->hw_sb;
p_params.sb_idx = req->sb_index;
- if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
- !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
- goto out;
-
/* Legacy VFs have their Producers in a different location, which they
* calculate on their own and clean the producer prior to this.
*/
--
1.7.10.3
next prev parent reply other threads:[~2016-12-23 0:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-03 6:35 [dpdk-dev] [PATCH 1/8] net/qede: fix to get vendor/device id info Rasesh Mody
2016-12-03 6:35 ` [dpdk-dev] [PATCH 2/8] net/qede/base: fix sriov printouts Rasesh Mody
2016-12-03 6:35 ` [dpdk-dev] [PATCH 3/8] net/qede/base: fix multiple acquisition requests by VF Rasesh Mody
2016-12-03 6:35 ` [dpdk-dev] [PATCH 4/8] net/qede/base: fix error return code in resc alloc Rasesh Mody
2016-12-03 6:35 ` [dpdk-dev] [PATCH 5/8] net/qede/base: fix mutex in freeing context manager Rasesh Mody
2016-12-03 6:35 ` [dpdk-dev] [PATCH 6/8] net/qede/base: fix Rx queue access by malicious VFs Rasesh Mody
2016-12-03 6:35 ` [dpdk-dev] [PATCH 7/8] net/qede/base: fix to handle acquire request from VF Rasesh Mody
2016-12-03 6:35 ` [dpdk-dev] [PATCH 8/8] net/qede/base: fix to check FW override after rejection Rasesh Mody
2016-12-09 13:35 ` [dpdk-dev] [PATCH 1/8] net/qede: fix to get vendor/device id info Ferruh Yigit
2016-12-20 23:25 ` Mody, Rasesh
2016-12-23 0:49 ` [dpdk-dev] [PATCH v2 " Rasesh Mody
2016-12-23 15:26 ` Ferruh Yigit
2016-12-23 0:49 ` [dpdk-dev] [PATCH v2 2/8] net/qede/base: fix sriov printouts Rasesh Mody
2016-12-23 0:49 ` [dpdk-dev] [PATCH v2 3/8] net/qede/base: fix multiple acquisition requests by VF Rasesh Mody
2016-12-23 0:50 ` [dpdk-dev] [PATCH v2 4/8] net/qede/base: fix error return code in resc alloc Rasesh Mody
2016-12-23 0:50 ` [dpdk-dev] [PATCH v2 5/8] net/qede/base: fix mutex in freeing context manager Rasesh Mody
2016-12-23 0:50 ` Rasesh Mody [this message]
2016-12-23 0:50 ` [dpdk-dev] [PATCH v2 7/8] net/qede/base: fix to handle acquire request from VF Rasesh Mody
2016-12-23 0:50 ` [dpdk-dev] [PATCH v2 8/8] net/qede/base: fix VF over legacy PF Rasesh Mody
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1482454204-21707-6-git-send-email-Rasesh.Mody@cavium.com \
--to=rasesh.mody@cavium.com \
--cc=Dept-EngDPDKDev@cavium.com \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).