diff mbox series

net/i40e: fix out of bounds read issue

Message ID 20200507030928.42082-1-chenxux.di@intel.com (mailing list archive)
State Superseded, archived
Delegated to: xiaolong ye
Headers
Series net/i40e: fix out of bounds read issue |

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/iol-intel-Performance success Performance Testing PASS
ci/travis-robot success Travis build: passed
ci/iol-nxp-Performance success Performance Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/Intel-compilation success Compilation OK
ci/iol-testing fail Testing issues

Commit Message

Chenxu Di May 7, 2020, 3:09 a.m. UTC 
  This patch fixes (out-of-bounds read) coverity issue.

Coverity issue: 357699
Coverity issue: 357694
Fixes: feaae285b342 ("net/i40e: support hash configuration in RSS flow")

Signed-off-by: Chenxu Di <chenxux.di@intel.com>
---
 drivers/net/i40e/i40e_ethdev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Xiaolong Ye May 7, 2020, 5:15 a.m. UTC | #1 
On 05/07, Chenxu Di wrote:
>This patch fixes (out-of-bounds read) coverity issue.
>
>Coverity issue: 357699
>Coverity issue: 357694
>Fixes: feaae285b342 ("net/i40e: support hash configuration in RSS flow")
>
>Signed-off-by: Chenxu Di <chenxux.di@intel.com>
>---
> drivers/net/i40e/i40e_ethdev.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c
>index 749d85f54..6c295ac5a 100644
>--- a/drivers/net/i40e/i40e_ethdev.c
>+++ b/drivers/net/i40e/i40e_ethdev.c
>@@ -13180,7 +13180,7 @@ i40e_rss_config_hash_function(struct i40e_pf *pf,
> 		}
> 
> 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
>-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
>+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {

I see i is defined as uint32_t, why compare it to UINT64_BIT here?
And could you specify where is the out of bounds read before the fix?

> 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
> 				i40e_write_global_rx_ctl(hw,
> 					I40E_GLQF_HSYM(j),
>@@ -13312,7 +13312,7 @@ i40e_rss_clear_hash_function(struct i40e_pf *pf,
> 		}
> 
> 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
>-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
>+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
> 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
> 				i40e_write_global_rx_ctl(hw,
> 					I40E_GLQF_HSYM(j),
>-- 
>2.17.1
>
Chenxu Di May 7, 2020, 5:55 a.m. UTC | #2 
Hi, xiaolong

> -----Original Message-----
> From: Ye, Xiaolong
> Sent: Thursday, May 7, 2020 1:15 PM
> To: Di, ChenxuX <chenxux.di@intel.com>
> Cc: dev@dpdk.org; Xing, Beilei <beilei.xing@intel.com>
> Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue
> 
> On 05/07, Chenxu Di wrote:
> >This patch fixes (out-of-bounds read) coverity issue.
> >
> >Coverity issue: 357699
> >Coverity issue: 357694
> >Fixes: feaae285b342 ("net/i40e: support hash configuration in RSS
> >flow")
> >
> >Signed-off-by: Chenxu Di <chenxux.di@intel.com>
> >---
> > drivers/net/i40e/i40e_ethdev.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> >diff --git a/drivers/net/i40e/i40e_ethdev.c
> >b/drivers/net/i40e/i40e_ethdev.c index 749d85f54..6c295ac5a 100644
> >--- a/drivers/net/i40e/i40e_ethdev.c
> >+++ b/drivers/net/i40e/i40e_ethdev.c
> >@@ -13180,7 +13180,7 @@ i40e_rss_config_hash_function(struct i40e_pf *pf,
> > 		}
> >
> > 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
> >-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
> >+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
> 
> I see i is defined as uint32_t, why compare it to UINT64_BIT here?
> And could you specify where is the out of bounds read before the fix?

The UINT64_BIT is the define of 64. And i is just used as the index of pctypes_tbl[].
And the code is just copy the function i40e_set_hash_filter_global_config(),
So I don't why he use the define UINT64_BIT as the value 64.

> 
> > 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))

the out of bounds read is the pctypes_tbl[i]. the above code is that :

		for (i = RTE_ETH_FLOW_UNKNOWN + 1; i < UINT64_BIT; i++) {
			if (mask0 & (1UL << i))
				break;
		}
If the loop doesn't break; the value of i will be 64 while the length of pctypes_tbl[] is 64.

> > 				i40e_write_global_rx_ctl(hw,
> > 					I40E_GLQF_HSYM(j),
> >@@ -13312,7 +13312,7 @@ i40e_rss_clear_hash_function(struct i40e_pf *pf,
> > 		}
> >
> > 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
> >-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
> >+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
> > 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
> > 				i40e_write_global_rx_ctl(hw,
> > 					I40E_GLQF_HSYM(j),
> >--
> >2.17.1
> >
Xiaolong Ye May 7, 2020, 6:30 a.m. UTC | #3 
On 05/07, Di, ChenxuX wrote:
>Hi, xiaolong
>
>> -----Original Message-----
>> From: Ye, Xiaolong
>> Sent: Thursday, May 7, 2020 1:15 PM
>> To: Di, ChenxuX <chenxux.di@intel.com>
>> Cc: dev@dpdk.org; Xing, Beilei <beilei.xing@intel.com>
>> Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue
>> 
>> On 05/07, Chenxu Di wrote:
>> >This patch fixes (out-of-bounds read) coverity issue.
>> >
>> >Coverity issue: 357699
>> >Coverity issue: 357694
>> >Fixes: feaae285b342 ("net/i40e: support hash configuration in RSS
>> >flow")
>> >
>> >Signed-off-by: Chenxu Di <chenxux.di@intel.com>
>> >---
>> > drivers/net/i40e/i40e_ethdev.c | 4 ++--
>> > 1 file changed, 2 insertions(+), 2 deletions(-)
>> >
>> >diff --git a/drivers/net/i40e/i40e_ethdev.c
>> >b/drivers/net/i40e/i40e_ethdev.c index 749d85f54..6c295ac5a 100644
>> >--- a/drivers/net/i40e/i40e_ethdev.c
>> >+++ b/drivers/net/i40e/i40e_ethdev.c
>> >@@ -13180,7 +13180,7 @@ i40e_rss_config_hash_function(struct i40e_pf *pf,
>> > 		}
>> >
>> > 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
>> >-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
>> >+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
>> 
>> I see i is defined as uint32_t, why compare it to UINT64_BIT here?
>> And could you specify where is the out of bounds read before the fix?
>
>The UINT64_BIT is the define of 64. And i is just used as the index of pctypes_tbl[].
>And the code is just copy the function i40e_set_hash_filter_global_config(),
>So I don't why he use the define UINT64_BIT as the value 64.
>
>> 
>> > 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
>
>the out of bounds read is the pctypes_tbl[i]. the above code is that :
>
>		for (i = RTE_ETH_FLOW_UNKNOWN + 1; i < UINT64_BIT; i++) {
>			if (mask0 & (1UL << i))
>				break;
>		}
>If the loop doesn't break; the value of i will be 64 while the length of pctypes_tbl[] is 64.

Got it, can you move the i < UINT64_BIT check before the new for loop, so it doesn't
need to check it everytime?

Thanks,
Xiaolong

>
>> > 				i40e_write_global_rx_ctl(hw,
>> > 					I40E_GLQF_HSYM(j),
>> >@@ -13312,7 +13312,7 @@ i40e_rss_clear_hash_function(struct i40e_pf *pf,
>> > 		}
>> >
>> > 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
>> >-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
>> >+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
>> > 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
>> > 				i40e_write_global_rx_ctl(hw,
>> > 					I40E_GLQF_HSYM(j),
>> >--
>> >2.17.1
>> >
diff mbox series

Patch

diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c
index 749d85f54..6c295ac5a 100644
--- a/drivers/net/i40e/i40e_ethdev.c
+++ b/drivers/net/i40e/i40e_ethdev.c
@@ -13180,7 +13180,7 @@  i40e_rss_config_hash_function(struct i40e_pf *pf,
 		}
 
 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
 				i40e_write_global_rx_ctl(hw,
 					I40E_GLQF_HSYM(j),
@@ -13312,7 +13312,7 @@  i40e_rss_clear_hash_function(struct i40e_pf *pf,
 		}
 
 		for (j = I40E_FILTER_PCTYPE_INVALID + 1;
-		     j < I40E_FILTER_PCTYPE_MAX; j++) {
+		     j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
 			if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
 				i40e_write_global_rx_ctl(hw,
 					I40E_GLQF_HSYM(j),