* [PATCH][next] octeontx2-pf: Fix out-of-bounds read in otx2_get_fecparam()
@ 2021-02-12 14:50 Hariprasad Kelam
0 siblings, 0 replies; 2+ messages in thread
From: Hariprasad Kelam @ 2021-02-12 14:50 UTC (permalink / raw)
To: Gustavo A. R. Silva, Sunil Kovvuri Goutham, Geethasowjanya Akula,
Subbaraya Sundeep Bhatta, David S. Miller, Jakub Kicinski,
Jesse Brandeburg, Christina Jacob
Cc: netdev, linux-kernel, linux-hardening
Hi Gustavo ,
Please see inline,
> -----Original Message-----
> From: Gustavo A. R. Silva <gustavoars@kernel.org>
> Sent: Friday, February 12, 2021 5:53 PM
> To: Sunil Kovvuri Goutham <sgoutham@marvell.com>; Geethasowjanya
> Akula <gakula@marvell.com>; Subbaraya Sundeep Bhatta
> <sbhatta@marvell.com>; Hariprasad Kelam <hkelam@marvell.com>; David
> S. Miller <davem@davemloft.net>; Jakub Kicinski <kuba@kernel.org>; Jesse
> Brandeburg <jesse.brandeburg@intel.com>; Christina Jacob
> <cjacob@marvell.com>
> Cc: netdev@vger.kernel.org; linux-kernel@vger.kernel.org; Gustavo A. R.
> Silva <gustavoars@kernel.org>; linux-hardening@vger.kernel.org
> Subject: [EXT] [PATCH][next] octeontx2-pf: Fix out-of-bounds read in
> otx2_get_fecparam()
>
> External Email
>
> ----------------------------------------------------------------------
> Code at line 967 implies that rsp->fwdata.supported_fec may be up to 4:
>
> 967: if (rsp->fwdata.supported_fec <= FEC_MAX_INDEX)
>
Thanks for pointing this. I missed this case .
rsp->fwdata.supported_fec range is 0 to 3. Certainly 4 causes out-of-bounds.
But proper fix is
- if (rsp->fwdata.supported_fec <= FEC_MAX_INDEX)
+ : if (rsp->fwdata.supported_fec < FEC_MAX_INDEX)
Thanks,
Hariprasad k
> If rsp->fwdata.supported_fec evaluates to 4, then there is an out-of-bounds
> read at line 971 because fec is an array with a maximum of 4 elements:
>
> 954 const int fec[] = {
> 955 ETHTOOL_FEC_OFF,
> 956 ETHTOOL_FEC_BASER,
> 957 ETHTOOL_FEC_RS,
> 958 ETHTOOL_FEC_BASER | ETHTOOL_FEC_RS};
> 959 #define FEC_MAX_INDEX 4
>
> 971: fecparam->fec = fec[rsp->fwdata.supported_fec];
>
> Fix this by properly indexing fec[] with rsp->fwdata.supported_fec - 1.
> In this case the proper indexes 0 to 3 are used when
> rsp->fwdata.supported_fec evaluates to a range of 1 to 4, correspondingly.
>
> Fixes: d0cf9503e908 ("octeontx2-pf: ethtool fec mode support")
> Addresses-Coverity-ID: 1501722 ("Out-of-bounds read")
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> index 237e5d3321d4..f7e8ada32a26 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> @@ -968,7 +968,7 @@ static int otx2_get_fecparam(struct net_device
> *netdev,
> if (!rsp->fwdata.supported_fec)
> fecparam->fec = ETHTOOL_FEC_NONE;
> else
> - fecparam->fec = fec[rsp->fwdata.supported_fec];
> + fecparam->fec = fec[rsp->fwdata.supported_fec - 1];
> }
> return 0;
> }
> --
> 2.27.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH][next] octeontx2-pf: Fix out-of-bounds read in otx2_get_fecparam()
@ 2021-02-12 12:23 Gustavo A. R. Silva
0 siblings, 0 replies; 2+ messages in thread
From: Gustavo A. R. Silva @ 2021-02-12 12:23 UTC (permalink / raw)
To: Sunil Goutham, Geetha sowjanya, Subbaraya Sundeep, hariprasad,
David S. Miller, Jakub Kicinski, Jesse Brandeburg,
Christina Jacob
Cc: netdev, linux-kernel, Gustavo A. R. Silva, linux-hardening
Code at line 967 implies that rsp->fwdata.supported_fec may be up to 4:
967: if (rsp->fwdata.supported_fec <= FEC_MAX_INDEX)
If rsp->fwdata.supported_fec evaluates to 4, then there is an
out-of-bounds read at line 971 because fec is an array with
a maximum of 4 elements:
954 const int fec[] = {
955 ETHTOOL_FEC_OFF,
956 ETHTOOL_FEC_BASER,
957 ETHTOOL_FEC_RS,
958 ETHTOOL_FEC_BASER | ETHTOOL_FEC_RS};
959 #define FEC_MAX_INDEX 4
971: fecparam->fec = fec[rsp->fwdata.supported_fec];
Fix this by properly indexing fec[] with rsp->fwdata.supported_fec - 1.
In this case the proper indexes 0 to 3 are used when
rsp->fwdata.supported_fec evaluates to a range of 1 to 4, correspondingly.
Fixes: d0cf9503e908 ("octeontx2-pf: ethtool fec mode support")
Addresses-Coverity-ID: 1501722 ("Out-of-bounds read")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
index 237e5d3321d4..f7e8ada32a26 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
@@ -968,7 +968,7 @@ static int otx2_get_fecparam(struct net_device *netdev,
if (!rsp->fwdata.supported_fec)
fecparam->fec = ETHTOOL_FEC_NONE;
else
- fecparam->fec = fec[rsp->fwdata.supported_fec];
+ fecparam->fec = fec[rsp->fwdata.supported_fec - 1];
}
return 0;
}
--
2.27.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-12 14:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-12 14:50 [PATCH][next] octeontx2-pf: Fix out-of-bounds read in otx2_get_fecparam() Hariprasad Kelam
-- strict thread matches above, loose matches on Subject: below --
2021-02-12 12:23 Gustavo A. R. Silva
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.