[PATCH] net/txgbe: fix out of bound access
Luca Boccassi
bluca at debian.org
Thu Nov 16 16:16:27 CET 2023
On Thu, 2023-11-16 at 14:07 +0000, Ferruh Yigit wrote:
> Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:
>
> In function 'txgbe_host_interface_command',
> inlined from 'txgbe_host_interface_command'
> at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
> inlined from 'txgbe_hic_reset'
> at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
> ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
> error: array subscript 2 is outside array bounds ofr
> 'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
> 145 | buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
> ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
> ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
> note: at offset 8 into object 'reset_cmd' of size 8
> 331 | struct txgbe_hic_reset reset_cmd;
> | ^~~~~~~~~
>
> Access to buffer done based on command code, the case complained by
> FW_RESET_CMD has short buffer but this code path only taken with command
> 0x30, so this shouldn't be a problem.
>
> Adding a size check before accessing to the buffer, as this is control
> plane code, additional check shouldn't hurt.
>
> [1]
> https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log
>
> [2]
> gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912
>
> Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
> Cc: stable at dpdk.org
>
> Reported-by: Luca Boccassi <luca.boccassi at microsoft.com>
> Signed-off-by: Ferruh Yigit <ferruh.yigit at amd.com>
> ---
> Cc: jiawenwu at trustnetic.com
> Cc: jianwang at trustnetic.com
>
> @Luca, I am not sure if this additional check will satisfy the compiler,
> can you please verify the patch?
>
> @Jiawen, there is a specific handling for command 0x30, from comment it
> looks like it is Read Flash command, but it looks like this command is
> not used by the driver, if this is correct can we remove the check
> completely? Removing can be simpler way to fix the compiler error.
> ---
> drivers/net/txgbe/base/txgbe_mng.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
> index df7145094f84..9797b1b8b5da 100644
> --- a/drivers/net/txgbe/base/txgbe_mng.c
> +++ b/drivers/net/txgbe/base/txgbe_mng.c
> @@ -147,6 +147,10 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
> * two byes instead of one byte
> */
> if (resp->cmd == 0x30) {
> + if (length < ((dword_len + 2) << 2)) {
> + err = TXGBE_ERR_HOST_INTERFACE_COMMAND;
> + goto rel_out;
> + }
> for (; bi < dword_len + 2; bi++)
> buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>
Thanks, this fixes the build:
https://build.opensuse.org/package/live_build_log/home:bluca:dpdk/dpdk-20.11/openSUSE_Factory_ARM/armv7l
Tested-by: Luca Boccassi <bluca at debian.org>
More information about the stable
mailing list