From owner-freebsd-bugs@FreeBSD.ORG Sun Oct 12 09:13:05 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0C5CB3F6 for ; Sun, 12 Oct 2014 09:13:05 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CDBC0CEE for ; Sun, 12 Oct 2014 09:13:04 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9C9D4Rq028228 for ; Sun, 12 Oct 2014 09:13:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 194314] New: [ixgbe] driver makes some dangerous assumptions with struct mbuf sizing with IXGBE_RX_COPY_LEN Date: Sun, 12 Oct 2014 09:13:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: ngie@FreeBSD.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Oct 2014 09:13:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194314 Bug ID: 194314 Summary: [ixgbe] driver makes some dangerous assumptions with struct mbuf sizing with IXGBE_RX_COPY_LEN Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ngie@FreeBSD.org The code in sys/dev/ixgbe/ixgbe.h assumes that MLEN is always > 160, and doesn't exceed the size of the mbuf. MSIZE is set to 256, so if MHLEN = MSIZE - sizeof(struct m_hdr) - sizeof(struct pkthdr) < 160, ixgbe will scribble over the header information in mbufs. Similarly, if IXGBE_RX_COPY_LEN is greater than the size of the mbuf, it will scribble over other memory, potentially in the same mbuf chain, or elsewhere. This optimization needs better bounds checking/handling. 155 /* 156 * Used for optimizing small rx mbufs. Effort is made to keep the copy 157 * small and aligned for the CPU L1 cache. 158 * 159 * MHLEN is typically 168 bytes, giving us 8-byte alignment. Getting 160 * 32 byte alignment needed for the fast bcopy results in 8 bytes being 161 * wasted. Getting 64 byte alignment, which _should_ be ideal for 162 * modern Intel CPUs, results in 40 bytes wasted and a significant drop 163 * in observed efficiency of the optimization, 97.9% -> 81.8%. 164 */ 165 #define IXGBE_RX_COPY_LEN 160 166 #define IXGBE_RX_COPY_ALIGN (MHLEN - IXGBE_RX_COPY_LEN) 60 * MLEN is data length in a normal mbuf. 61 * MHLEN is data length in an mbuf with pktheader. 62 * MINCLSIZE is a smallest amount of data that should be put into cluster. 63 */ 64 #define MLEN ((int)(MSIZE - sizeof(struct m_hdr))) 65 #define MHLEN ((int)(MLEN - sizeof(struct pkthdr))) 66 #define MINCLSIZE (MHLEN + 1) -- You are receiving this mail because: You are the assignee for the bug.