i40e: define proper net_device::neigh_priv_len

finist0 · Jeff Kirsher · commit 31389b53b3e0 · 2018-12-20T12:02:26.000-08:00
Out of bound read reported by KASan.

i40iw_net_event() reads unconditionally 16 bytes from
neigh-&gt;primary_key while the memory allocated for
"neighbour" struct is evaluated in neigh_alloc() as

  tbl-&gt;entry_size + dev-&gt;neigh_priv_len

where "dev" is a net_device.

But the driver does not setup dev-&gt;neigh_priv_len and
we read beyond the neigh entry allocated memory,
so the patch in the next mail fixes this.

Signed-off-by: Konstantin Khorenko &lt;khorenko@virtuozzo.com&gt;
Tested-by: Andrew Bowers &lt;andrewx.bowers@intel.com&gt;
Signed-off-by: Jeff Kirsher &lt;jeffrey.t.kirsher@intel.com&gt;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -12339,6 +12339,9 @@ static int i40e_config_netdev(struct i40e_vsi *vsi)
 	ether_addr_copy(netdev->dev_addr, mac_addr);
 	ether_addr_copy(netdev->perm_addr, mac_addr);
 
+	/* i40iw_net_event() reads 16 bytes from neigh->primary_key */
+	netdev->neigh_priv_len = sizeof(u32) * 4;
+
 	netdev->priv_flags |= IFF_UNICAST_FLT;
 	netdev->priv_flags |= IFF_SUPP_NOFCS;
 	/* Setup netdev TC information */
