From nobody Sat Nov 30 07:30:14 2024
Received: from out-170.mta1.migadu.com (out-170.mta1.migadu.com
 [95.215.58.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E7C078C8D
	for <linux-kernel@vger.kernel.org>; Tue, 10 Sep 2024 14:32:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=95.215.58.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1725978723; cv=none;
 b=IoW26MYjSF9+EB1GuZ147O+Q27RrPsIE+nub8Tc3JPmAghxu1QoUASIGZRtYAf2rO0a4NWn5xKzWS811AHKVeGJgAAoStQQ2J/9co++tSjcUnOOsgcWT8ZK7EJ/KxpypU8899XubZpxjPXLbXt0MdlyX2gjAa+Wfrn2mt3cwrCU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1725978723; c=relaxed/simple;
	bh=3hcp8+pAra2wUh/heml2tFFmFimwTQeFtKzYEfoO9Rw=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=o4xTsGbWuqiXiAdt+aeOWaFcRuYH+OldLgaJejW5NdxwNShhw/7oXc/9aLJnK4aWcg6N+g7tKhvX4sTHE9dPFfaJ/4s19ZxLFjavwfXkkdoh1PA6iEK0phWdPjb8qD5LdLO+m1R2j+weXOpqcjN9TLrcbNuzQersyH0j9d7Ogig=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev;
 spf=pass smtp.mailfrom=linux.dev;
 dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b=R8MtDX9W; arc=none smtp.client-ip=95.215.58.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b="R8MtDX9W"
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1725978718;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=+oMkdY5wNveZPHLOfaFU6K4sHgZemWN98P6jp40gR8Y=;
	b=R8MtDX9WqhGoceuOs3djsIcC71ayA4ENR/0KKxDtIiyAY1M/I/avGKeAxua5ycYGhgy9cN
	TgYTQJe3dKH4F7MmYvTY2Lk+ktVZwDuCS9mSrLUguXDR9J092vAku0dv/BTmxhSTM5Dr1Y
	yofbaBJmcp+urWt0Nv4i/yuTRvZgjfM=
From: Sean Anderson <sean.anderson@linux.dev>
To: Madalin Bucur <madalin.bucur@nxp.com>,
	Eric Dumazet <edumazet@google.com>,
	netdev@vger.kernel.org
Cc: Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	linux-kernel@vger.kernel.org,
	"David S . Miller" <davem@davemloft.net>,
	Sean Anderson <sean.anderson@linux.dev>
Subject: [PATCH net v2] net: dpaa: Pad packets to ETH_ZLEN
Date: Tue, 10 Sep 2024 10:31:44 -0400
Message-Id: <20240910143144.1439910-1-sean.anderson@linux.dev>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT
Content-Type: text/plain; charset="utf-8"

When sending packets under 60 bytes, up to three bytes of the buffer
following the data may be leaked. Avoid this by extending all packets to
ETH_ZLEN, ensuring nothing is leaked in the padding. This bug can be
reproduced by running

	$ ping -s 11 destination

Fixes: 9ad1a3749333 ("dpaa_eth: add support for DPAA Ethernet")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
Reviewed-by: Eric Dumazet <edumazet@google.com>
---

Changes in v2:
- Fix the nonlinear varable becoming out-of-sync with the skb's
  linearization state by padding the packet before anything else.

 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/e=
thernet/freescale/dpaa/dpaa_eth.c
index cfe6b57b1da0..4a55e521c17e 100644
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -2272,12 +2272,12 @@ static netdev_tx_t
 dpaa_start_xmit(struct sk_buff *skb, struct net_device *net_dev)
 {
 	const int queue_mapping =3D skb_get_queue_mapping(skb);
-	bool nonlinear =3D skb_is_nonlinear(skb);
 	struct rtnl_link_stats64 *percpu_stats;
 	struct dpaa_percpu_priv *percpu_priv;
 	struct netdev_queue *txq;
 	struct dpaa_priv *priv;
 	struct qm_fd fd;
+	bool nonlinear;
 	int offset =3D 0;
 	int err =3D 0;
=20
@@ -2287,6 +2287,13 @@ dpaa_start_xmit(struct sk_buff *skb, struct net_devi=
ce *net_dev)
=20
 	qm_fd_clear_fd(&fd);
=20
+	/* Packet data is always read as 32-bit words, so zero out any part of
+	 * the skb which might be sent if we have to pad the packet
+	 */
+	if (__skb_put_padto(skb, ETH_ZLEN, false))
+		goto enomem;
+
+	nonlinear =3D skb_is_nonlinear(skb);
 	if (!nonlinear) {
 		/* We're going to store the skb backpointer at the beginning
 		 * of the data buffer, so we need a privately owned skb
--=20
2.35.1.1320.gc452695387.dirty