net/qede/base: fix Rx queue access by malicious VFs
authorRasesh Mody <rasesh.mody@cavium.com>
Fri, 23 Dec 2016 00:50:02 +0000 (16:50 -0800)
committerFerruh Yigit <ferruh.yigit@intel.com>
Tue, 17 Jan 2017 18:40:52 +0000 (19:40 +0100)
Rx queue access is still done prior to the index being validated by PF.
Hence move Rx queue and status block validation check before accessing
Rx queue to prevent malicious VFs from using out-of-bound queue indices.

Fixes: 98bc693e1938 ("net/qede/base: change queue start")

Signed-off-by: Rasesh Mody <rasesh.mody@cavium.com>
drivers/net/qede/base/ecore_sriov.c

index de54b9a..1255296 100644 (file)
@@ -1968,6 +1968,11 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn,
        enum _ecore_status_t rc;
 
        req = &mbx->req_virt->start_rxq;
+
+       if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
+           !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
+               goto out;
+
        OSAL_MEMSET(&p_params, 0, sizeof(p_params));
        p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid;
        p_params.vf_qid = req->rx_qid;
@@ -1976,10 +1981,6 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn,
        p_params.sb = req->hw_sb;
        p_params.sb_idx = req->sb_index;
 
-       if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
-           !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
-               goto out;
-
        /* Legacy VFs have their Producers in a different location, which they
         * calculate on their own and clean the producer prior to this.
         */