Commit 1c20c819 authored by Dennis Dalessandro's avatar Dennis Dalessandro Committed by Roland Dreier

IB/qib: Fix potential buffer overrun in sending diag packet routine

Guard against a potential buffer overrun.  Right now the qib driver is
protected by the fact that the data structure in question is only 16
bits.  Should that ever change the problem will be exposed. There is a
similar defect in the ipath driver and this brings the two code paths
into sync.
Reported-by: default avatarNico Golde <nico@ngolde.de>
Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
parent cfbf8d48
...@@ -546,7 +546,7 @@ static ssize_t qib_diagpkt_write(struct file *fp, ...@@ -546,7 +546,7 @@ static ssize_t qib_diagpkt_write(struct file *fp,
size_t count, loff_t *off) size_t count, loff_t *off)
{ {
u32 __iomem *piobuf; u32 __iomem *piobuf;
u32 plen, clen, pbufn; u32 plen, pbufn, maxlen_reserve;
struct qib_diag_xpkt dp; struct qib_diag_xpkt dp;
u32 *tmpbuf = NULL; u32 *tmpbuf = NULL;
struct qib_devdata *dd; struct qib_devdata *dd;
...@@ -590,15 +590,20 @@ static ssize_t qib_diagpkt_write(struct file *fp, ...@@ -590,15 +590,20 @@ static ssize_t qib_diagpkt_write(struct file *fp,
} }
ppd = &dd->pport[dp.port - 1]; ppd = &dd->pport[dp.port - 1];
/* need total length before first word written */ /*
/* +1 word is for the qword padding */ * need total length before first word written, plus 2 Dwords. One Dword
plen = sizeof(u32) + dp.len; * is for padding so we get the full user data when not aligned on
clen = dp.len >> 2; * a word boundary. The other Dword is to make sure we have room for the
* ICRC which gets tacked on later.
if ((plen + 4) > ppd->ibmaxlen) { */
maxlen_reserve = 2 * sizeof(u32);
if (dp.len > ppd->ibmaxlen - maxlen_reserve) {
ret = -EINVAL; ret = -EINVAL;
goto bail; /* before writing pbc */ goto bail;
} }
plen = sizeof(u32) + dp.len;
tmpbuf = vmalloc(plen); tmpbuf = vmalloc(plen);
if (!tmpbuf) { if (!tmpbuf) {
qib_devinfo(dd->pcidev, qib_devinfo(dd->pcidev,
...@@ -638,11 +643,11 @@ static ssize_t qib_diagpkt_write(struct file *fp, ...@@ -638,11 +643,11 @@ static ssize_t qib_diagpkt_write(struct file *fp,
*/ */
if (dd->flags & QIB_PIO_FLUSH_WC) { if (dd->flags & QIB_PIO_FLUSH_WC) {
qib_flush_wc(); qib_flush_wc();
qib_pio_copy(piobuf + 2, tmpbuf, clen - 1); qib_pio_copy(piobuf + 2, tmpbuf, plen - 1);
qib_flush_wc(); qib_flush_wc();
__raw_writel(tmpbuf[clen - 1], piobuf + clen + 1); __raw_writel(tmpbuf[plen - 1], piobuf + plen + 1);
} else } else
qib_pio_copy(piobuf + 2, tmpbuf, clen); qib_pio_copy(piobuf + 2, tmpbuf, plen);
if (dd->flags & QIB_USE_SPCL_TRIG) { if (dd->flags & QIB_USE_SPCL_TRIG) {
u32 spcl_off = (pbufn >= dd->piobcnt2k) ? 2047 : 1023; u32 spcl_off = (pbufn >= dd->piobcnt2k) ? 2047 : 1023;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment