net/mlx5: fix meter color register consideration
Checks
Commit Message
The mlx5_flow_get_reg_id() function translates tag ID to register
from the registers that are supported and available for use. The
user does not know which register is available at a time and therefore
there is an array that represents mapping to the available registers.
Usually the free registers are continuous in the flow_mreg_c array but
sometimes the mtr_color_reg register is between them and it must be
skipped and the next register returned, in which case the function
returns the mapping of the next entity in the array.
When the function reads from the next entity in the array, it does not
check whether such an entity exists and in some situation invalid access
to memory occurs beyond the array boundaries.
So, when all the registers are valid from HW perspective and the meter
color register is not the default, the tag id 5 causes an out of bound
access.
Validate registers availability when meter color register is not the
default.
Coverity issue: 146355
Fixes: 792e749e92d5 ("net/mlx5: fix register usage in meter")
Cc: stable@dpdk.org
Signed-off-by: Michael Baum <michaelba@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
---
drivers/net/mlx5/mlx5_flow.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
Hi,
> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Michael Baum
> Sent: Wednesday, May 6, 2020 7:24 PM
> To: dev@dpdk.org
> Cc: Matan Azrad <matan@mellanox.com>; Slava Ovsiienko
> <viacheslavo@mellanox.com>; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH] net/mlx5: fix meter color register consideration
>
> The mlx5_flow_get_reg_id() function translates tag ID to register
> from the registers that are supported and available for use. The
> user does not know which register is available at a time and therefore
> there is an array that represents mapping to the available registers.
> Usually the free registers are continuous in the flow_mreg_c array but
> sometimes the mtr_color_reg register is between them and it must be
> skipped and the next register returned, in which case the function
> returns the mapping of the next entity in the array.
>
> When the function reads from the next entity in the array, it does not
> check whether such an entity exists and in some situation invalid access
> to memory occurs beyond the array boundaries.
>
> So, when all the registers are valid from HW perspective and the meter
> color register is not the default, the tag id 5 causes an out of bound
> access.
>
> Validate registers availability when meter color register is not the
> default.
>
> Coverity issue: 146355
> Fixes: 792e749e92d5 ("net/mlx5: fix register usage in meter")
> Cc: stable@dpdk.org
>
> Signed-off-by: Michael Baum <michaelba@mellanox.com>
> Acked-by: Matan Azrad <matan@mellanox.com>
> ---
> drivers/net/mlx5/mlx5_flow.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index 01376f3..08c7cdf 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -442,6 +442,10 @@ struct mlx5_flow_tunnel_info {
> */
> if (skip_mtr_reg && config->flow_mreg_c
> [id + start_reg - REG_C_0] >= priv->mtr_color_reg) {
> + if (id >= (REG_C_7 - start_reg))
> + return rte_flow_error_set(error, EINVAL,
> +
> RTE_FLOW_ERROR_TYPE_ITEM,
> + NULL, "invalid tag
> id");
> if (config->flow_mreg_c
> [id + 1 + start_reg - REG_C_0] != REG_NONE)
> return config->flow_mreg_c
> --
> 1.8.3.1
Patch applied to next-net-mlx,
Kindest regards
Raslan Darawsheh
@@ -442,6 +442,10 @@ struct mlx5_flow_tunnel_info {
*/
if (skip_mtr_reg && config->flow_mreg_c
[id + start_reg - REG_C_0] >= priv->mtr_color_reg) {
+ if (id >= (REG_C_7 - start_reg))
+ return rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ NULL, "invalid tag id");
if (config->flow_mreg_c
[id + 1 + start_reg - REG_C_0] != REG_NONE)
return config->flow_mreg_c