From: Jack Morgenstein Date: Tue, 30 Sep 2014 09:03:49 +0000 (+0300) Subject: net/mlx4_core: Protect QUERY_PORT wrapper from untrusted guests X-Git-Tag: firefly_0821_release~176^2~3106^2~102^2~1 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=a7401b9cf342775921f7b8eb2f9cedcaf004a929;p=firefly-linux-kernel-4.4.55.git net/mlx4_core: Protect QUERY_PORT wrapper from untrusted guests The function mlx4_QUERY_PORT_wrapper implements only the QUERY_PORT "general" case (opcode modifier = 0). Verify that the opcode modifier is zero, and also that the input modifier contains only the port number in bits 0..7 (all other bits should be zero). Signed-off-by: Jack Morgenstein Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller --- diff --git a/drivers/net/ethernet/mellanox/mlx4/fw.c b/drivers/net/ethernet/mellanox/mlx4/fw.c index 13b2e4a51ef4..2e88a235e26b 100644 --- a/drivers/net/ethernet/mellanox/mlx4/fw.c +++ b/drivers/net/ethernet/mellanox/mlx4/fw.c @@ -982,8 +982,13 @@ int mlx4_QUERY_PORT_wrapper(struct mlx4_dev *dev, int slave, if (port < 0) return -EINVAL; - vhcr->in_modifier = (vhcr->in_modifier & ~0xFF) | - (port & 0xFF); + /* Protect against untrusted guests: enforce that this is the + * QUERY_PORT general query. + */ + if (vhcr->op_modifier || vhcr->in_modifier & ~0xFF) + return -EINVAL; + + vhcr->in_modifier = port; err = mlx4_cmd_box(dev, 0, outbox->dma, vhcr->in_modifier, 0, MLX4_CMD_QUERY_PORT, MLX4_CMD_TIME_CLASS_B,