• Yonglong Liu's avatar
    net: hns3: fix use-after-free when doing self test · a0665621
    Yonglong Liu authored
    Enable promisc mode of PF, set VF link state to enable, and
    run iperf of the VF, then do self test of the PF. The self test
    will fail with a low frequency, and may cause a use-after-free
    problem.
    
    [   87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [   87.159722] ==================================================================
    [   87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608
    [   87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186
    [   87.201012]
    [   87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4
    [   87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020
    [   87.238292] Call trace:
    [   87.243173]  dump_backtrace+0x0/0x280
    [   87.250491]  show_stack+0x24/0x30
    [   87.257114]  dump_stack+0xe8/0x140
    [   87.263911]  print_address_description.isra.8+0x70/0x380
    [   87.274538]  __kasan_report+0x12c/0x230
    [   87.282203]  kasan_report+0xc/0x18
    [   87.288999]  __asan_load1+0x60/0x68
    [   87.295969]  hex_dump_to_buffer+0x140/0x608
    [   87.304332]  print_hex_dump+0x140/0x1e0
    [   87.312000]  hns3_lb_check_skb_data+0x168/0x170
    [   87.321060]  hns3_clean_rx_ring+0xa94/0xfe0
    [   87.329422]  hns3_self_test+0x708/0x8c0
    
    The length of packet sent by the selftest process is only
    128 + 14 bytes, and the min buffer size of a BD is 256 bytes,
    and the receive process will make sure the packet sent by
    the selftest process is in the linear part, so only check
    the linear part in hns3_lb_check_skb_data().
    
    So fix this use-after-free by using skb_headlen() to dump
    skb->data instead of skb->len.
    
    Fixes: c39c4d98 ("net: hns3: Add mac loopback selftest support in hns3 driver")
    Signed-off-by: default avatarYonglong Liu <liuyonglong@huawei.com>
    Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    a0665621
hns3_ethtool.c 39.6 KB