Commit c666fa63 authored by Wei Fang's avatar Wei Fang Committed by Jakub Kicinski
Browse files

net: enetc: fix TOCTOU race and validate VF MAC address 

Sashiko reported that the PF driver accepts arbitrary MAC address from
from VF mailbox messages without proper validation, creating a security
vulnerability [1].

In enetc_msg_pf_set_vf_primary_mac_addr(), the MAC address is extracted
directly from the message buffer (cmd->mac.sa_data) and programmed into
hardware via pf->ops->set_si_primary_mac() without any validity checks.
A malicious VF can configure a multicast, broadcast, or all-zero MAC
address. Therefore, a validation to check the MAC address provided by VF
is required.

However, simply checking the MAC address is not enough, because it also
has the potential TOCTOU race [2]: The code reads the MAC address from
the DMA buffer to validate it via is_valid_ether_addr(), if validation
passes, reads the same DMA buffer a second time when calling
enetc_pf_set_primary_mac_addr() to program the hardware. A malicious VF
can exploit this window by overwriting the MAC address in the DMA buffer
between the validation check and the hardware programming, bypassing the
validation entirely.

Therefore, allocate a local buffer in enetc_msg_handle_rxmsg() and copy
the message content from the DMA buffer via memcpy() before processing.
This ensures the PF operates on a stable snapshot that the VF cannot
modify.

Link: https://sashiko.dev/#/patchset/20260511080805.2052495-1-wei.fang%40nxp.com #1
Link: https://sashiko.dev/#/patchset/20260513103021.2190593-1-wei.fang%40nxp.com

 #2
Fixes: beb74ac8 ("enetc: Add vf to pf messaging support")
Signed-off-by: default avatarWei Fang <wei.fang@nxp.com>
Reviewed-by: default avatarHarshitha Ramamurthy <hramamurthy@google.com>
Link: https://patch.msgid.link/20260520064421.91569-5-wei.fang@nxp.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 4a995d37

drivers/net/ethernet/freescale/enetc/enetc_pf.c

+30 −9
Original line number Diff line number Diff line
@@ -478,21 +478,24 @@ static void enetc_configure_port(struct enetc_pf *pf) 


/* Messaging */

static u16 enetc_msg_pf_set_vf_primary_mac_addr(struct enetc_pf *pf,

						int vf_id)

						int vf_id, void *msg)

{

	struct enetc_vf_state *vf_state = &pf->vf_state[vf_id];

	struct enetc_msg_swbd *msg = &pf->rxmsg[vf_id];

	struct enetc_msg_cmd_set_primary_mac *cmd;

	struct enetc_msg_cmd_set_primary_mac *cmd = msg;

	struct device *dev = &pf->si->pdev->dev;

	u16 cmd_id;

	u16 cmd_id = cmd->header.id;

	char *addr;



	cmd = (struct enetc_msg_cmd_set_primary_mac *)msg->vaddr;

	cmd_id = cmd->header.id;

	if (cmd_id != ENETC_MSG_CMD_MNG_ADD)

		return ENETC_MSG_CMD_STATUS_FAIL;



	addr = cmd->mac.sa_data;

	if (!is_valid_ether_addr(addr)) {

		dev_err_ratelimited(dev, "VF%d attempted to set invalid MAC\n",

				    vf_id);

		return ENETC_MSG_CMD_STATUS_FAIL;

	}



	if (vf_state->flags & ENETC_VF_FLAG_PF_SET_MAC) {

		dev_err_ratelimited(dev,

				    "VF%d attempted to override PF set MAC\n",
@@ -507,17 +510,33 @@ static u16 enetc_msg_pf_set_vf_primary_mac_addr(struct enetc_pf *pf, 


void enetc_msg_handle_rxmsg(struct enetc_pf *pf, int vf_id, u16 *status)

{

	struct enetc_msg_swbd *msg = &pf->rxmsg[vf_id];

	struct enetc_msg_swbd *msg_swbd = &pf->rxmsg[vf_id];

	struct device *dev = &pf->si->pdev->dev;

	struct enetc_msg_cmd_header *cmd_hdr;

	u16 cmd_type;

	u8 *msg;



	cmd_hdr = (struct enetc_msg_cmd_header *)msg->vaddr;

	msg = kzalloc_objs(*msg, msg_swbd->size);

	if (!msg) {

		dev_err_ratelimited(dev,

				    "Failed to allocate message buffer\n");

		*status = ENETC_MSG_CMD_STATUS_FAIL;

		return;

	}



	/* Currently, only ENETC_MSG_CMD_MNG_MAC command is supported, so

	 * only sizeof(struct enetc_msg_cmd_set_primary_mac) bytes need to

	 * be copied. This data already includes the cmd_type field, so it

	 * can correctly return an error code.

	 */

	memcpy(msg, msg_swbd->vaddr,

	       sizeof(struct enetc_msg_cmd_set_primary_mac));

	cmd_hdr = (struct enetc_msg_cmd_header *)msg;

	cmd_type = cmd_hdr->type;



	switch (cmd_type) {

	case ENETC_MSG_CMD_MNG_MAC:

		*status = enetc_msg_pf_set_vf_primary_mac_addr(pf, vf_id);

		*status = enetc_msg_pf_set_vf_primary_mac_addr(pf, vf_id, msg);

		break;

	default:

		*status = ENETC_MSG_CMD_STATUS_FAIL;
@@ -525,6 +544,8 @@ void enetc_msg_handle_rxmsg(struct enetc_pf *pf, int vf_id, u16 *status) 
				    "command not supported (cmd_type: 0x%x)\n",

				    cmd_type);

	}



	kfree(msg);

}



#ifdef CONFIG_PCI_IOV