From patchwork Thu Nov 16 14:07:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 134427 X-Patchwork-Delegate: ferruh.yigit@amd.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DB9B143345; Thu, 16 Nov 2023 15:07:40 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 9E270402B0; Thu, 16 Nov 2023 15:07:40 +0100 (CET) Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2061.outbound.protection.outlook.com [40.107.92.61]) by mails.dpdk.org (Postfix) with ESMTP id 2A02740150; Thu, 16 Nov 2023 15:07:39 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hoq203BpL1l/iCxONymiqRNltETsBh9vZcHESYYkQa0bllyNalHOnxLqLuS/TryZZ1KSwtFB+fDBMY2o64Nrb+OeSNEj7MZiCH7edcZqv/ZTNweiE6JDasRaxnY7ZfnS+anEmilRbaenAb6UYL2dHvggNyqJhAkRMCaDt3gayIG5u0E/h400WNNktW1TYpV0qg8pjDojbyGegITFlkWxWh6MUBloitN5IooL6bs27iplG7jaxSZeT6mBy+F45NCygnru53A3dScKrvZGM8pRYpidpG020CAXuZMslVasZ2AhktN7fyEz4HSJ8KRblU1UXj3lOSpYgGBv/COWwef2hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TpmulRRLP5Toeek25gMWZ8lY45X+9A/+tOCdPkQXTXA=; b=SJUfXZpdj7jscbBBoXqKXDaK5u6jZxNGhU1snyH7Bv1PnMv7dn2iqpjatF+bmoiws8qvGuBw0BRfbkXb/Jzq25hF9253PW5FWbNNcMtfLsIEsll68jFT8NV80c0TvotIUUV/bhesfKXxRmUQ/7UdqDNPRJV0nOpwwNGw105FttLrurynNRn2L3j7cVbwFT4msNjZXb6Cq/KgqHw6pRa/qvL17yEngsey7sL9wO+36DGBnIZza1o0780GKM87lQ/i5Ki68UjSi7DojuE/s++C7TwDROFf61I3j8snk6rJ6Dfy5hyQ+SdPdu4FuIxTWOQFnT0aumRyabbIfnUheJyGRA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=trustnetic.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TpmulRRLP5Toeek25gMWZ8lY45X+9A/+tOCdPkQXTXA=; b=WkjwR3MWn8ajxt2vN3MvPgu6LaUqnXDobsp/zK/qwiwWbkZjcmmbgFLjNh3CLzH5pOzu6zvyhQRa+P4vGrdNYkLAwGY2NwoNZMXcPvaMEnRHTlljZ3qT6mqVyd8IDsOnTxEyxBKDKdxERDtidVKLvdAT169KWA4B4khZhdW/MwY= Received: from BL0PR02CA0111.namprd02.prod.outlook.com (2603:10b6:208:35::16) by PH0PR12MB8029.namprd12.prod.outlook.com (2603:10b6:510:26c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.31; Thu, 16 Nov 2023 14:07:36 +0000 Received: from BL6PEPF0001AB58.namprd02.prod.outlook.com (2603:10b6:208:35:cafe::43) by BL0PR02CA0111.outlook.office365.com (2603:10b6:208:35::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7002.21 via Frontend Transport; Thu, 16 Nov 2023 14:07:35 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by BL6PEPF0001AB58.mail.protection.outlook.com (10.167.241.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7002.20 via Frontend Transport; Thu, 16 Nov 2023 14:07:35 +0000 Received: from telcodpdk.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32; Thu, 16 Nov 2023 08:07:31 -0600 From: Ferruh Yigit To: Jiawen Wu , Jian Wang , Ferruh Yigit CC: , , Luca Boccassi Subject: [PATCH] net/txgbe: fix out of bound access Date: Thu, 16 Nov 2023 14:07:18 +0000 Message-ID: <20231116140718.4026676-1-ferruh.yigit@amd.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB58:EE_|PH0PR12MB8029:EE_ X-MS-Office365-Filtering-Correlation-Id: 89c3781e-7150-407d-f357-08dbe6ad624b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VPX/zV5D4b9DJgTfIm3jqfiScayLhnfGnDpaf3UQOr8FItUfH0JEJN0WCLhXQOSD4Wqya1caDD3RgDiWHcQfLqBfBA+jK3Y3kLsifjvW7uwO3im7aOTo5K/JR4/kA5M5lSt1Q92cSw0wrZK5vjaiTmAevSO3Pvcv/T1vzjOa4yHCp5ws5aGaCK4ng5+UnShHiIRzlUrBUzbJHBRUaqaU+y3dGaJgyxcq9PF1aKXMrcRkwe3Rfe+rdKIMv9sHATG3WKesrykvudUizG6kDJsZSSgj3w0qarSo/0PBsOrE5XfRzKCgWn/cuTLwtI1OppjnwKWmlIEDV+9FCnC2HvBSLYQetyOe8F7shmjTNOJzRdXmNQCkLx2YiErM7CGGz3u/Rn78hxyU00vLsQ3lctc3ZsEV+y3gFikDH5gJAy9vwEQkGJZKpwkKW90TglFEEXVLA3mP3K69pCdvreDZPp3CTcqu33CtePXs1XaGA1QA5fuWzjK0Uezi2eXHeH4rv7haOGJj5hBnA4C8zofiM7RKvRmKvH8xV4H784gaHZzZRN6nUPPvQhIh2HgNrvk1bWc8tKI8rRz8tuAbMe1GI975VO5FZHd+3Aou7NHVBvagR23lXzpIzd01VkrHWaY4a3j7jc37UyViaWTvdhwZLa3sLcdbiDBXQZmf+v0RVPBFZA/pJQ3pnxbnt/g4OtJHwRskyyrY/+Z/jXftKkHQW+btmmqlfG8OchCV6M9+siZkAMcEAJUbb55bdL7glJhXhqOiAujWexjslO1nyN1p/CD6/Q== X-Forefront-Antispam-Report: CIP:165.204.84.17; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:SATLEXMB04.amd.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230031)(4636009)(346002)(39860400002)(396003)(136003)(376002)(230922051799003)(1800799009)(451199024)(64100799003)(186009)(82310400011)(46966006)(36840700001)(40470700004)(40460700003)(54906003)(16526019)(26005)(7696005)(426003)(47076005)(336012)(6666004)(2616005)(36860700001)(83380400001)(5660300002)(41300700001)(8936002)(44832011)(110136005)(2906002)(45080400002)(478600001)(966005)(8676002)(1076003)(316002)(36756003)(70206006)(356005)(70586007)(82740400003)(81166007)(86362001)(4326008)(40480700001)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Nov 2023 14:07:35.5463 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 89c3781e-7150-407d-f357-08dbe6ad624b X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d; Ip=[165.204.84.17]; Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB58.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB8029 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Reported by SuSe CI [1] by GCC [2], possibly false positive. Error: In function 'txgbe_host_interface_command', inlined from 'txgbe_host_interface_command' at ../drivers/net/txgbe/base/txgbe_mng.c:104:1, inlined from 'txgbe_hic_reset' at ../drivers/net/txgbe/base/txgbe_mng.c:345:9: ../drivers/net/txgbe/base/txgbe_mng.c:145:36: error: array subscript 2 is outside array bounds ofr 'struct txgbe_hic_reset[1]' [-Werror=array-bounds=] 145 | buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi); ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset': ../drivers/net/txgbe/base/txgbe_mng.c:331:32: note: at offset 8 into object 'reset_cmd' of size 8 331 | struct txgbe_hic_reset reset_cmd; | ^~~~~~~~~ Access to buffer done based on command code, the case complained by FW_RESET_CMD has short buffer but this code path only taken with command 0x30, so this shouldn't be a problem. Adding a size check before accessing to the buffer, as this is control plane code, additional check shouldn't hurt. [1] https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log [2] gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912 Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions") Cc: stable@dpdk.org Reported-by: Luca Boccassi Signed-off-by: Ferruh Yigit Tested-by: Luca Boccassi --- Cc: jiawenwu@trustnetic.com Cc: jianwang@trustnetic.com @Luca, I am not sure if this additional check will satisfy the compiler, can you please verify the patch? @Jiawen, there is a specific handling for command 0x30, from comment it looks like it is Read Flash command, but it looks like this command is not used by the driver, if this is correct can we remove the check completely? Removing can be simpler way to fix the compiler error. --- drivers/net/txgbe/base/txgbe_mng.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c index df7145094f84..9797b1b8b5da 100644 --- a/drivers/net/txgbe/base/txgbe_mng.c +++ b/drivers/net/txgbe/base/txgbe_mng.c @@ -147,6 +147,10 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer, * two byes instead of one byte */ if (resp->cmd == 0x30) { + if (length < ((dword_len + 2) << 2)) { + err = TXGBE_ERR_HOST_INTERFACE_COMMAND; + goto rel_out; + } for (; bi < dword_len + 2; bi++) buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);