From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-0016ce01.pphosted.com (mx0b-0016ce01.pphosted.com [67.231.156.153]) by dpdk.org (Postfix) with ESMTP id 5960210E14; Fri, 23 Dec 2016 01:50:35 +0100 (CET) Received: from pps.filterd (m0085408.ppops.net [127.0.0.1]) by mx0b-0016ce01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id uBN0mgnN030158; Thu, 22 Dec 2016 16:50:32 -0800 Received: from avcashub1.qlogic.com ([198.186.0.117]) by mx0b-0016ce01.pphosted.com with ESMTP id 27gsq4r01h-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 22 Dec 2016 16:50:32 -0800 Received: from avluser05.qlc.com (10.1.113.115) by qlc.com (10.1.4.192) with Microsoft SMTP Server id 14.3.235.1; Thu, 22 Dec 2016 16:50:31 -0800 Received: (from rmody@localhost) by avluser05.qlc.com (8.14.4/8.14.4/Submit) id uBN0oVpY021812; Thu, 22 Dec 2016 16:50:31 -0800 X-Authentication-Warning: avluser05.qlc.com: rmody set sender to Rasesh.Mody@cavium.com using -f From: Rasesh Mody To: CC: Rasesh Mody , , , Date: Thu, 22 Dec 2016 16:50:02 -0800 Message-ID: <1482454204-21707-6-git-send-email-Rasesh.Mody@cavium.com> X-Mailer: git-send-email 1.7.10.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain disclaimer: bypass X-Proofpoint-Virus-Version: vendor=nai engine=5800 definitions=8387 signatures=670789 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1612230012 Subject: [dpdk-dev] [PATCH v2 6/8] net/qede/base: fix Rx queue access by malicious VFs X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 00:50:35 -0000 Rx queue access is still done prior to the index being validated by PF. Hence move Rx queue and status block validation check before accessing Rx queue to prevent malicious VFs from using out-of-bound queue indices. Fixes: 98bc693e1938 ("net/qede/base: change queue start") Signed-off-by: Rasesh Mody --- drivers/net/qede/base/ecore_sriov.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/qede/base/ecore_sriov.c b/drivers/net/qede/base/ecore_sriov.c index de54b9a..1255296 100644 --- a/drivers/net/qede/base/ecore_sriov.c +++ b/drivers/net/qede/base/ecore_sriov.c @@ -1968,6 +1968,11 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn, enum _ecore_status_t rc; req = &mbx->req_virt->start_rxq; + + if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) || + !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb)) + goto out; + OSAL_MEMSET(&p_params, 0, sizeof(p_params)); p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid; p_params.vf_qid = req->rx_qid; @@ -1976,10 +1981,6 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn, p_params.sb = req->hw_sb; p_params.sb_idx = req->sb_index; - if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) || - !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb)) - goto out; - /* Legacy VFs have their Producers in a different location, which they * calculate on their own and clean the producer prior to this. */ -- 1.7.10.3