[PATCH] net/txgbe: fix out of bound access

Luca Boccassi bluca at debian.org
Thu Nov 16 16:16:27 CET 2023

Previous message (by thread): [PATCH] net/txgbe: fix out of bound access
Next message (by thread): [PATCH] net/txgbe: fix out of bound access
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2023-11-16 at 14:07 +0000, Ferruh Yigit wrote:
> Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:
> 
>  In function 'txgbe_host_interface_command',
>      inlined from 'txgbe_host_interface_command'
>              at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
>      inlined from 'txgbe_hic_reset'
>              at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
>  ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
>     error: array subscript 2 is outside array bounds ofr
>            'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
>    145 |                     buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>  ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
>  ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
>     note: at offset 8 into object 'reset_cmd' of size 8
>    331 |         struct txgbe_hic_reset reset_cmd;
>        |                                ^~~~~~~~~
> 
> Access to buffer done based on command code, the case complained by
> FW_RESET_CMD has short buffer but this code path only taken with command
> 0x30, so this shouldn't be a problem.
> 
> Adding a size check before accessing to the buffer, as this is control
> plane code, additional check shouldn't hurt.
> 
> [1]
> https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log
> 
> [2]
> gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912
> 
> Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
> Cc: stable at dpdk.org
> 
> Reported-by: Luca Boccassi <luca.boccassi at microsoft.com>
> Signed-off-by: Ferruh Yigit <ferruh.yigit at amd.com>
> ---
> Cc: jiawenwu at trustnetic.com
> Cc: jianwang at trustnetic.com
> 
> @Luca, I am not sure if this additional check will satisfy the compiler,
> can you please verify the patch?
> 
> @Jiawen, there is a specific handling for command 0x30, from comment it
> looks like it is Read Flash command, but it looks like this command is
> not used by the driver, if this is correct can we remove the check
> completely? Removing can be simpler way to fix the compiler error.
> ---
>  drivers/net/txgbe/base/txgbe_mng.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
> index df7145094f84..9797b1b8b5da 100644
> --- a/drivers/net/txgbe/base/txgbe_mng.c
> +++ b/drivers/net/txgbe/base/txgbe_mng.c
> @@ -147,6 +147,10 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
>  	 * two byes instead of one byte
>  	 */
>  	if (resp->cmd == 0x30) {
> +		if (length < ((dword_len + 2) << 2)) {
> +			err = TXGBE_ERR_HOST_INTERFACE_COMMAND;
> +			goto rel_out;
> +		}
>  		for (; bi < dword_len + 2; bi++)
>  			buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
> 

Thanks, this fixes the build:

https://build.opensuse.org/package/live_build_log/home:bluca:dpdk/dpdk-20.11/openSUSE_Factory_ARM/armv7l

Tested-by: Luca Boccassi <bluca at debian.org>

Previous message (by thread): [PATCH] net/txgbe: fix out of bound access
Next message (by thread): [PATCH] net/txgbe: fix out of bound access
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list