aboutsummaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorJack Morgenstein2014-09-30 12:03:49 +0300
committerDavid S. Miller2014-09-30 16:27:49 -0400
commita7401b9cf342775921f7b8eb2f9cedcaf004a929 (patch)
treeacabc4f35d537d90a2f33f7c85f1d6485c038398 /drivers
parente1c00e10e92c04aa637126db2e59b092bd4878f8 (diff)
net/mlx4_core: Protect QUERY_PORT wrapper from untrusted guests
The function mlx4_QUERY_PORT_wrapper implements only the QUERY_PORT "general" case (opcode modifier = 0). Verify that the opcode modifier is zero, and also that the input modifier contains only the port number in bits 0..7 (all other bits should be zero). Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/ethernet/mellanox/mlx4/fw.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/net/ethernet/mellanox/mlx4/fw.c b/drivers/net/ethernet/mellanox/mlx4/fw.c
index 13b2e4a51ef4..2e88a235e26b 100644
--- a/drivers/net/ethernet/mellanox/mlx4/fw.c
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.c
@@ -982,8 +982,13 @@ int mlx4_QUERY_PORT_wrapper(struct mlx4_dev *dev, int slave,
if (port < 0)
return -EINVAL;
- vhcr->in_modifier = (vhcr->in_modifier & ~0xFF) |
- (port & 0xFF);
+ /* Protect against untrusted guests: enforce that this is the
+ * QUERY_PORT general query.
+ */
+ if (vhcr->op_modifier || vhcr->in_modifier & ~0xFF)
+ return -EINVAL;
+
+ vhcr->in_modifier = port;
err = mlx4_cmd_box(dev, 0, outbox->dma, vhcr->in_modifier, 0,
MLX4_CMD_QUERY_PORT, MLX4_CMD_TIME_CLASS_B,