[2/6] net/bnxt: fix potential data race

diff mbox series

Message ID	20200303175938.14292-3-stephen@networkplumber.org
State	New
Delegated to:	Ajit Khaparde
Headers	show Return-Path: <dev-bounces@dpdk.org> From: Stephen Hemminger <stephen@networkplumber.org> To: ajit.khaparde@broadcom.com, somnath.kotur@broadcom.com Cc: dev@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>, Christopher Ertl <Christopher.Ertl@microsoft.com> Date: Tue, 3 Mar 2020 09:59:34 -0800 Message-Id: <20200303175938.14292-3-stephen@networkplumber.org> In-Reply-To: <20200303175938.14292-1-stephen@networkplumber.org> References: <20200303175938.14292-1-stephen@networkplumber.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH 2/6] net/bnxt: fix potential data race Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	net/bnxt: bounds checking patches
Related	show [0/6] net/bnxt: bounds checking patches [1/6] eal: add portable way to check for math overflow [2/6] net/bnxt: fix potential data race [3/6] net/bnxt: avoid potential out of bounds read [4/6] net/bnxt: check for integer overflow in buffer sizing [5/6] net/bnxt: add integer underflow check [6/6] net/bnxt: sanitize max_l2_ctx

Message ID

20200303175938.14292-3-stephen@networkplumber.org

State

New

Delegated to:

Ajit Khaparde

Headers

show

Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 92A30A0571;
	Tue,  3 Mar 2020 19:00:02 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 32F231C01E;
	Tue,  3 Mar 2020 18:59:47 +0100 (CET)
Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com
 [209.85.214.194]) by dpdk.org (Postfix) with ESMTP id 399AE1C012
 for <dev@dpdk.org>; Tue,  3 Mar 2020 18:59:45 +0100 (CET)
Received: by mail-pl1-f194.google.com with SMTP id x17so1650679plm.10
 for <dev@dpdk.org>; Tue, 03 Mar 2020 09:59:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=ap7V2Mf+iyDGYa/E3yDLrfkvs2vTi+qaq5RjdBx02GI=;
 b=nx5yDPYm/pMHc2xS13NUa7EyIccW9H/N1n7Vv4Ud6rn8vIXjItKi4wSgHDQKBv9bJ1
 cdq7G0O1CJrD4U3R2dHEd6fE2ssQkQ7RRcYHzh6GQ/t1rKf9LJXqQutfbsCuXUEhyexQ
 cZeI5g7owkpwxvIS+owyZ1jdqdVyQQ84sXaR8n1c6/yCyf1htMK78p8W6gT6kQH7o4JJ
 MnCVHe9W8chGt8cySi9JSSqK+nGhgq3gEITkHIAqevjAGnN3yrg4rpMy7nyxXRTmvfau
 6/i/gVXhaLUJhOC/sS7+Xba6C3s/p4v6iNy2G7ZOwosIPmcdEpRW3xL4pZr06l/NfYhi
 0Eiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=ap7V2Mf+iyDGYa/E3yDLrfkvs2vTi+qaq5RjdBx02GI=;
 b=mVSrQiDLaVIbLxaKt/x1jhqjKx7OF+SCIM50SVFVaetEm+BzfQkFn7+fCIZdAdZ4Lv
 5Orqo5Vev9T9DM0x/Z97SP2Iw1sUm52HcUx40WQf6rspEQQASY6h8L1DXlDtuOhBTomu
 iliVHe3p81FlJq50D8W6kxYtGBQVp/rtKXUnjL32b40ACKXl8GiQFtg52I3JP50YP6lK
 3EbSIy6y3CKulNEUWNw6xVlMtUonylqCtaS5fT7745UseoXLJnZKUCT875u7zvJLGOIx
 DvQ6tCbWaGn9URYZV01iDAoIZMXYOHAXmk9qI8tiB8ECcG1oxtqC91MnbbYeCTrXbsIX
 +4Tg==
X-Gm-Message-State: ANhLgQ0WGw0der50tkqdz2bEH6P0zicERc61tsSJpvPXpd0cUJ3T6Cc4
 kMifMNOPswxU82Qbv1rjD+3UqQ==
X-Google-Smtp-Source: 
 ADFU+vszG4Tl9g6BK9+TPRqQHfP97LGzXul9b+EVQmtTgioRn8K1uzoPaI8I9SXSPOhC45tineW2iQ==
X-Received: by 2002:a17:90b:94d:: with SMTP id
 dw13mr5349368pjb.13.1583258384181;
 Tue, 03 Mar 2020 09:59:44 -0800 (PST)
Received: from hermes.corp.microsoft.com (204-195-22-127.wavecable.com.
 [204.195.22.127])
 by smtp.gmail.com with ESMTPSA id w195sm22012158pfd.65.2020.03.03.09.59.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 Mar 2020 09:59:43 -0800 (PST)
From: Stephen Hemminger <stephen@networkplumber.org>
To: ajit.khaparde@broadcom.com,
	somnath.kotur@broadcom.com
Cc: dev@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
 Christopher Ertl <Christopher.Ertl@microsoft.com>
Date: Tue,  3 Mar 2020 09:59:34 -0800
Message-Id: <20200303175938.14292-3-stephen@networkplumber.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200303175938.14292-1-stephen@networkplumber.org>
References: <20200303175938.14292-1-stephen@networkplumber.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] [PATCH 2/6] net/bnxt: fix potential data race
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Series

net/bnxt: bounds checking patches

show

Context	Check	Description
ci/Intel-compilation	success	Compilation OK
ci/checkpatch	success	coding style OK

Context

Check

Description

ci/Intel-compilation

success

Compilation OK

ci/checkpatch

success

coding style OK

Commit Message

Stephen Hemminger March 3, 2020, 5:59 p.m. UTC

The response from the firmware is accessed multiple times.
This is a potential TOCTOU error.

Reported-by: Christopher Ertl <Christopher.Ertl@microsoft.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 drivers/net/bnxt/bnxt_hwrm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Christopher Ertl March 3, 2020, 6:13 p.m. UTC | #1

Can we add the `volatile` qualifier to the `hwrm_cmd_resp_addr` member (in drivers/net/bnxt/bnxt.h) to get a stronger guarantee that the compiler won't insert TOCTOU races in the output?

Christopher Ertl | MSRC Vulnerabilities & Mitigations | Microsoft Limited | +44 7773976589 | Christopher.Ertl@microsoft.com
 
Microsoft Limited (company number 01624297) is a company registered in England and Wales whose registered office is at Microsoft Campus, Thames Valley Park, Reading. RG6 1WG

-----Original Message-----
From: Stephen Hemminger <stephen@networkplumber.org> 
Sent: Tuesday, March 3, 2020 6:00 PM
To: Ajit Kumar Khaparde <ajit.khaparde@broadcom.com>; somnath.kotur@broadcom.com
Cc: dev@dpdk.org; Stephen Hemminger <stephen@networkplumber.org>; Christopher Ertl <Christopher.Ertl@microsoft.com>
Subject: [EXTERNAL] [PATCH 2/6] net/bnxt: fix potential data race

The response from the firmware is accessed multiple times.
This is a potential TOCTOU error.

Reported-by: Christopher Ertl <Christopher.Ertl@microsoft.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 drivers/net/bnxt/bnxt_hwrm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c index a9c9c7297cab..20e2f6a36713 100644
--- a/drivers/net/bnxt/bnxt_hwrm.c
+++ b/drivers/net/bnxt/bnxt_hwrm.c
@@ -3746,6 +3746,7 @@ int bnxt_hwrm_port_led_qcaps(struct bnxt *bp)  {
 	struct hwrm_port_led_qcaps_output *resp = bp->hwrm_cmd_resp_addr;
 	struct hwrm_port_led_qcaps_input req = {0};
+	uint8_t num_leds;
 	int rc;
 
 	if (BNXT_VF(bp))
@@ -3757,10 +3758,11 @@ int bnxt_hwrm_port_led_qcaps(struct bnxt *bp)
 
 	HWRM_CHECK_RESULT();
 
-	if (resp->num_leds > 0 && resp->num_leds < BNXT_MAX_LED) {
+	num_leds = resp->num_leds;
+	if (num_leds > 0 && num_leds < BNXT_MAX_LED) {
 		unsigned int i;
 
-		bp->num_leds = resp->num_leds;
+		bp->num_leds = num_leds;
 		memcpy(bp->leds, &resp->led0_id,
 			sizeof(bp->leds[0]) * bp->num_leds);
 		for (i = 0; i < bp->num_leds; i++) {
--
2.20.1

Stephen Hemminger March 3, 2020, 6:16 p.m. UTC | #2

On Tue, 3 Mar 2020 18:13:22 +0000
Christopher Ertl <Christopher.Ertl@microsoft.com> wrote:

> Can we add the `volatile` qualifier to the `hwrm_cmd_resp_addr` member (in drivers/net/bnxt/bnxt.h) to get a stronger guarantee that the compiler won't insert TOCTOU races in the output?
> 
> Christopher Ertl | MSRC Vulnerabilities & Mitigations | Microsoft Limited | +44 7773976589 | Christopher.Ertl@microsoft.com
>  
> Microsoft Limited (company number 01624297) is a company registered in England and Wales whose registered office is at Microsoft Campus, Thames Valley Park, Reading. RG6 1WG

Should this be done for all the registers in that structure?

Patch

diff mbox series

diff --git a/drivers/net/bnxt/bnxt_hwrm.c b/drivers/net/bnxt/bnxt_hwrm.c
index a9c9c7297cab..20e2f6a36713 100644
--- a/drivers/net/bnxt/bnxt_hwrm.c
+++ b/drivers/net/bnxt/bnxt_hwrm.c
@@ -3746,6 +3746,7 @@  int bnxt_hwrm_port_led_qcaps(struct bnxt *bp)
 {
 	struct hwrm_port_led_qcaps_output *resp = bp->hwrm_cmd_resp_addr;
 	struct hwrm_port_led_qcaps_input req = {0};
+	uint8_t num_leds;
 	int rc;
 
 	if (BNXT_VF(bp))
@@ -3757,10 +3758,11 @@  int bnxt_hwrm_port_led_qcaps(struct bnxt *bp)
 
 	HWRM_CHECK_RESULT();
 
-	if (resp->num_leds > 0 && resp->num_leds < BNXT_MAX_LED) {
+	num_leds = resp->num_leds;
+	if (num_leds > 0 && num_leds < BNXT_MAX_LED) {
 		unsigned int i;
 
-		bp->num_leds = resp->num_leds;
+		bp->num_leds = num_leds;
 		memcpy(bp->leds, &resp->led0_id,
 			sizeof(bp->leds[0]) * bp->num_leds);
 		for (i = 0; i < bp->num_leds; i++) {

[2/6] net/bnxt: fix potential data race 66220 diff mbox series

Checks

Commit Message

Comments

Patch 66220 diff mbox series

[2/6] net/bnxt: fix potential data race
diff mbox series

Patch
diff mbox series