* [PATCH] octeontx2-af: Add array index check
@ 2024-03-28 8:16 Aleksandr Mishin
2024-03-28 10:09 ` Hariprasad Kelam
2024-03-28 18:28 ` Jakub Kicinski
0 siblings, 2 replies; 4+ messages in thread
From: Aleksandr Mishin @ 2024-03-28 8:16 UTC (permalink / raw)
To: Sunil Goutham
Cc: Aleksandr Mishin, Linu Cherian, Geetha sowjanya, Jerin Jacob,
hariprasad, Subbaraya Sundeep, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, linux-kernel, lvc-project
In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
Fix this bug by adding 'iter' value check.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 91c6945ea1f9 ("octeontx2-af: cn10k: Add RPM MAC support")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
index 72e060cf6b61..e9bf9231b018 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
@@ -160,6 +160,8 @@ static int rvu_map_cgx_lmac_pf(struct rvu *rvu)
continue;
lmac_bmap = cgx_get_lmac_bmap(rvu_cgx_pdata(cgx, rvu));
for_each_set_bit(iter, &lmac_bmap, rvu->hw->lmac_per_cgx) {
+ if (iter >= MAX_LMAC_COUNT)
+ continue;
lmac = cgx_get_lmacid(rvu_cgx_pdata(cgx, rvu),
iter);
rvu->pf2cgxlmac_map[pf] = cgxlmac_id_to_bmap(cgx, lmac);
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] octeontx2-af: Add array index check
2024-03-28 8:16 [PATCH] octeontx2-af: Add array index check Aleksandr Mishin
@ 2024-03-28 10:09 ` Hariprasad Kelam
2024-03-28 18:28 ` Jakub Kicinski
1 sibling, 0 replies; 4+ messages in thread
From: Hariprasad Kelam @ 2024-03-28 10:09 UTC (permalink / raw)
To: Aleksandr Mishin, Sunil Kovvuri Goutham
Cc: Linu Cherian, Geethasowjanya Akula, Jerin Jacob,
Subbaraya Sundeep Bhatta, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, linux-kernel, lvc-project
Hi,
> In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can
> reach value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the
> array.
> Fix this bug by adding 'iter' value check.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
Since it is a fix, please add "net" to the subject.
Thanks,
Hariprasad k
> Fixes: 91c6945ea1f9 ("octeontx2-af: cn10k: Add RPM MAC support")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
> drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> index 72e060cf6b61..e9bf9231b018 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> @@ -160,6 +160,8 @@ static int rvu_map_cgx_lmac_pf(struct rvu *rvu)
> continue;
> lmac_bmap = cgx_get_lmac_bmap(rvu_cgx_pdata(cgx, rvu));
> for_each_set_bit(iter, &lmac_bmap, rvu->hw->lmac_per_cgx)
> {
> + if (iter >= MAX_LMAC_COUNT)
> + continue;
> lmac = cgx_get_lmacid(rvu_cgx_pdata(cgx, rvu),
> iter);
> rvu->pf2cgxlmac_map[pf] = cgxlmac_id_to_bmap(cgx,
> lmac);
> --
> 2.30.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] octeontx2-af: Add array index check
2024-03-28 8:16 [PATCH] octeontx2-af: Add array index check Aleksandr Mishin
2024-03-28 10:09 ` Hariprasad Kelam
@ 2024-03-28 18:28 ` Jakub Kicinski
2024-03-30 20:10 ` Simon Horman
1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2024-03-28 18:28 UTC (permalink / raw)
To: Aleksandr Mishin
Cc: Sunil Goutham, Linu Cherian, Geetha sowjanya, Jerin Jacob,
hariprasad, Subbaraya Sundeep, David S. Miller, Eric Dumazet,
Paolo Abeni, netdev, linux-kernel, lvc-project
On Thu, 28 Mar 2024 11:16:48 +0300 Aleksandr Mishin wrote:
> In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
> value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
> Fix this bug by adding 'iter' value check.
I'm guessing you got the 14 from:
hw->lmac_per_cgx = (nix_const >> 8) & 0xFULL;
Seems more reasonable to cap the size at that point than every use
afterwards.
--
pw-bot: cr
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] octeontx2-af: Add array index check
2024-03-28 18:28 ` Jakub Kicinski
@ 2024-03-30 20:10 ` Simon Horman
0 siblings, 0 replies; 4+ messages in thread
From: Simon Horman @ 2024-03-30 20:10 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Aleksandr Mishin, Sunil Goutham, Linu Cherian, Geetha sowjanya,
Jerin Jacob, hariprasad, Subbaraya Sundeep, David S. Miller,
Eric Dumazet, Paolo Abeni, netdev, linux-kernel, lvc-project
On Thu, Mar 28, 2024 at 11:28:18AM -0700, Jakub Kicinski wrote:
> On Thu, 28 Mar 2024 11:16:48 +0300 Aleksandr Mishin wrote:
> > In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
> > value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
> > Fix this bug by adding 'iter' value check.
>
> I'm guessing you got the 14 from:
>
> hw->lmac_per_cgx = (nix_const >> 8) & 0xFULL;
>
> Seems more reasonable to cap the size at that point than every use
> afterwards.
FWIIW, I didn't find any other locations where this overflow might occur,
but I do agree that this approach makes sense.
I also notice that rvu_map_cgx_lmac_pf() has the following check near the
top. I think the lmac_per_cgx portion can be dropped, though that could be
a follow-up.
if (cgx_cnt_max > 0xF || rvu->hw->lmac_per_cgx > 0xF)
return -EINVAL;
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-30 20:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-28 8:16 [PATCH] octeontx2-af: Add array index check Aleksandr Mishin
2024-03-28 10:09 ` Hariprasad Kelam
2024-03-28 18:28 ` Jakub Kicinski
2024-03-30 20:10 ` Simon Horman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.