[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel < 4.14.111 drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c kernel a
From:       Fuqian Huang <huangfq.daxian () gmail ! com>
Date:       2019-04-18 13:33:42
Message-ID: CABXRUiRFD7o9UqERpn4JLZLf1caSkgCoNaGeh3d2vG2hevSzGg () mail ! gmail ! com
[Download RAW message or body]

In drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:65
and drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:77,
nfp_net_debugfs_rx_q_read will dump the address of
rx_rings->rxds and frag to debugfs, which allows local user
to read the kernel address via debugfs.

static int nfp_net_debugfs_rx_q_read(struct seq_file *file, void *data)
{
    seq_printf(file, "RX[%02d,%02d]: cnt=%u dma=%pad host=%p   H_RD=%u
H_WR=%u FL_RD=%u FL_WR=%u\n",
           rx_ring->idx, rx_ring->fl_qcidx,
           rx_ring->cnt, &rx_ring->dma, rx_ring->rxds,
           rx_ring->rd_p, rx_ring->wr_p, fl_rd_p, fl_wr_p);
    ...
        if (frag)
            seq_printf(file, " frag=%p", frag);
    ...
}

In drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:148
and drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:164
and drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:167,
nfp_net_debugfs_tx_q_read will dump the address of
rx_rings->rxds and skb->head and frag to debugfs, which allows local user
to read the kernel address via debugfs.

static int nfp_net_debugfs_tx_q_read(struct seq_file *file, void *data)
{
    ...
    seq_printf(file, "TX[%02d,%02d%s]: cnt=%u dma=%pad host=%p
H_RD=%u H_WR=%u D_RD=%u D_WR=%u\n",
           tx_ring->idx, tx_ring->qcidx,
           tx_ring == r_vec->tx_ring ? "" : "xdp",
           tx_ring->cnt, &tx_ring->dma, tx_ring->txds,
           tx_ring->rd_p, tx_ring->wr_p, d_rd_p, d_wr_p);

    ...
        if (tx_ring == r_vec->tx_ring) {
            struct sk_buff *skb = READ_ONCE(tx_ring->txbufs[i].skb);

            if (skb)
                seq_printf(file, " skb->head=%p skb->data=%p",
                       skb->head, skb->data);
        } else {
            seq_printf(file, " frag=%p",
                   READ_ONCE(tx_ring->txbufs[i].frag));
        }
    ...
}
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic