diff options
| author | Jack Morgenstein <jackm@dev.mellanox.co.il> | 2014-09-30 05:03:49 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-09-30 16:27:49 -0400 |
| commit | a7401b9cf342775921f7b8eb2f9cedcaf004a929 (patch) | |
| tree | acabc4f35d537d90a2f33f7c85f1d6485c038398 | |
| parent | e1c00e10e92c04aa637126db2e59b092bd4878f8 (diff) | |
net/mlx4_core: Protect QUERY_PORT wrapper from untrusted guests
The function mlx4_QUERY_PORT_wrapper implements only the
QUERY_PORT "general" case (opcode modifier = 0).
Verify that the opcode modifier is zero, and also that the
input modifier contains only the port number in bits 0..7
(all other bits should be zero).
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | drivers/net/ethernet/mellanox/mlx4/fw.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/net/ethernet/mellanox/mlx4/fw.c b/drivers/net/ethernet/mellanox/mlx4/fw.c index 13b2e4a51ef4..2e88a235e26b 100644 --- a/drivers/net/ethernet/mellanox/mlx4/fw.c +++ b/drivers/net/ethernet/mellanox/mlx4/fw.c | |||
| @@ -982,8 +982,13 @@ int mlx4_QUERY_PORT_wrapper(struct mlx4_dev *dev, int slave, | |||
| 982 | if (port < 0) | 982 | if (port < 0) |
| 983 | return -EINVAL; | 983 | return -EINVAL; |
| 984 | 984 | ||
| 985 | vhcr->in_modifier = (vhcr->in_modifier & ~0xFF) | | 985 | /* Protect against untrusted guests: enforce that this is the |
| 986 | (port & 0xFF); | 986 | * QUERY_PORT general query. |
| 987 | */ | ||
| 988 | if (vhcr->op_modifier || vhcr->in_modifier & ~0xFF) | ||
| 989 | return -EINVAL; | ||
| 990 | |||
| 991 | vhcr->in_modifier = port; | ||
| 987 | 992 | ||
| 988 | err = mlx4_cmd_box(dev, 0, outbox->dma, vhcr->in_modifier, 0, | 993 | err = mlx4_cmd_box(dev, 0, outbox->dma, vhcr->in_modifier, 0, |
| 989 | MLX4_CMD_QUERY_PORT, MLX4_CMD_TIME_CLASS_B, | 994 | MLX4_CMD_QUERY_PORT, MLX4_CMD_TIME_CLASS_B, |