|
 |
2a1b01 |
From 1c14a6d8ebad07bc6ff090164ca15ab7656e7167 Mon Sep 17 00:00:00 2001
|
|
|
2a1b01 |
From: Ido Schimmel <idosch@nvidia.com>
|
|
|
2a1b01 |
Date: Tue, 14 Sep 2021 14:27:35 +0300
|
|
|
2a1b01 |
Subject: [PATCH 02/35] cmis: Fix invalid memory access in IOCTL path
|
|
|
2a1b01 |
|
|
|
2a1b01 |
Page 01h is an optional page that is not available for flat memory
|
|
|
2a1b01 |
modules. Trying to blindly access it results in the following report
|
|
|
2a1b01 |
from AddressSanitizer [1].
|
|
|
2a1b01 |
|
|
|
2a1b01 |
Instead, pass the base address of the Lower Memory. This results in
|
|
|
2a1b01 |
wrong information being parsed, but this never worked correctly since
|
|
|
2a1b01 |
CMIS support first appeared in cited commit.
|
|
|
2a1b01 |
|
|
|
2a1b01 |
The information will be parsed correctly in a follow-up submission that
|
|
|
2a1b01 |
reworks the EEPROM parsing code to use a memory map with pointers to
|
|
|
2a1b01 |
individual pages instead of passing one large buffer.
|
|
|
2a1b01 |
|
|
|
2a1b01 |
[1]
|
|
|
2a1b01 |
==968785==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000001d4 at pc 0x0000004806ee bp 0x7ffefbc977a0 sp 0x7ffefbc97798
|
|
|
2a1b01 |
READ of size 1 at 0x6120000001d4 thread T0
|
|
|
2a1b01 |
#0 0x4806ed in cmis_print_smf_cbl_len cmis.c:127
|
|
|
2a1b01 |
#1 0x48113e in cmis_show_link_len_from_page cmis.c:279
|
|
|
2a1b01 |
#2 0x4811e3 in cmis_show_link_len cmis.c:300
|
|
|
2a1b01 |
#3 0x481358 in qsfp_dd_show_all cmis.c:336
|
|
|
2a1b01 |
#4 0x47d190 in sff8636_show_all qsfp.c:861
|
|
|
2a1b01 |
#5 0x42130b in do_getmodule ethtool.c:4908
|
|
|
2a1b01 |
#6 0x42a38a in main ethtool.c:6383
|
|
|
2a1b01 |
#7 0x7f11db6c51e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
|
|
|
2a1b01 |
#8 0x40258d in _start (ethtool+0x40258d)
|
|
|
2a1b01 |
|
|
|
2a1b01 |
Address 0x6120000001d4 is a wild pointer.
|
|
|
2a1b01 |
SUMMARY: AddressSanitizer: heap-buffer-overflow cmis.c:127 in cmis_print_smf_cbl_len
|
|
|
2a1b01 |
|
|
|
2a1b01 |
Fixes: 88ca347ef35a ("Add QSFP-DD support").
|
|
|
2a1b01 |
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
|
|
|
2a1b01 |
---
|
|
|
2a1b01 |
cmis.c | 2 +-
|
|
|
2a1b01 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
2a1b01 |
|
|
|
2a1b01 |
diff --git a/cmis.c b/cmis.c
|
|
|
2a1b01 |
index 361b721f332f..1a91e798e4b8 100644
|
|
|
2a1b01 |
--- a/cmis.c
|
|
|
2a1b01 |
+++ b/cmis.c
|
|
|
2a1b01 |
@@ -297,7 +297,7 @@ static void cmis_show_link_len_from_page(const __u8 *page_one_data)
|
|
|
2a1b01 |
*/
|
|
|
2a1b01 |
static void cmis_show_link_len(const __u8 *id)
|
|
|
2a1b01 |
{
|
|
|
2a1b01 |
- cmis_show_link_len_from_page(id + PAG01H_UPPER_OFFSET);
|
|
|
2a1b01 |
+ cmis_show_link_len_from_page(id);
|
|
|
2a1b01 |
}
|
|
|
2a1b01 |
|
|
|
2a1b01 |
/**
|
|
|
2a1b01 |
--
|
|
|
2a1b01 |
2.35.1
|
|
|
2a1b01 |
|