linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
@ 2021-11-17  3:44 Teng Qi
  2021-11-18 11:20 ` patchwork-bot+netdevbpf
  2021-11-19  3:37 ` lipeng (Y)
  0 siblings, 2 replies; 3+ messages in thread
From: Teng Qi @ 2021-11-17  3:44 UTC (permalink / raw)
  To: yisen.zhuang, salil.mehta, davem, kuba, lipeng321,
	huangguangbin2, zhengyongjun3, liuyonglong, shenyang39
  Cc: netdev, linux-kernel, baijiaju1990, islituo, Teng Qi, TOTE Robot

The if statement:
  if (port >= DSAF_GE_NUM)
        return;

limits the value of port less than DSAF_GE_NUM (i.e., 8).
However, if the value of port is 6 or 7, an array overflow could occur:
  port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;

because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).

To fix this possible array overflow, we first check port and if it is
greater than or equal to DSAF_MAX_PORT_NUM, the function returns.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
---
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
index 23d9cbf262c3..740850b64aff 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
@@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
 		return;
 
 	if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
+		/* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
+		   We need check to prevent array overflow */
+		if (port >= DSAF_MAX_PORT_NUM)
+			return;
 		reg_val_1  = 0x1 << port;
 		port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
 		/* there is difference between V1 and V2 in register.*/
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
  2021-11-17  3:44 [PATCH] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() Teng Qi
@ 2021-11-18 11:20 ` patchwork-bot+netdevbpf
  2021-11-19  3:37 ` lipeng (Y)
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-11-18 11:20 UTC (permalink / raw)
  To: Teng Qi
  Cc: yisen.zhuang, salil.mehta, davem, kuba, lipeng321,
	huangguangbin2, zhengyongjun3, liuyonglong, shenyang39, netdev,
	linux-kernel, baijiaju1990, islituo, oslab

Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Wed, 17 Nov 2021 11:44:53 +0800 you wrote:
> The if statement:
>   if (port >= DSAF_GE_NUM)
>         return;
> 
> limits the value of port less than DSAF_GE_NUM (i.e., 8).
> However, if the value of port is 6 or 7, an array overflow could occur:
>   port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
> 
> [...]

Here is the summary with links:
  - ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
    https://git.kernel.org/netdev/net/c/a66998e0fbf2

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
  2021-11-17  3:44 [PATCH] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() Teng Qi
  2021-11-18 11:20 ` patchwork-bot+netdevbpf
@ 2021-11-19  3:37 ` lipeng (Y)
  1 sibling, 0 replies; 3+ messages in thread
From: lipeng (Y) @ 2021-11-19  3:37 UTC (permalink / raw)
  To: Teng Qi, yisen.zhuang, salil.mehta, davem, kuba, huangguangbin2,
	zhengyongjun3, liuyonglong, shenyang39
  Cc: netdev, linux-kernel, baijiaju1990, islituo, TOTE Robot

Sorry for the late reply.

Seeing this functions:

static int hns_mac_get_max_port_num(struct dsaf_device *dsaf_dev)
{
     if (HNS_DSAF_IS_DEBUG(dsaf_dev))
         return 1;
     else
         return  DSAF_MAX_PORT_NUM;
}

int hns_mac_init(struct dsaf_device *dsaf_dev)
{
     bool found = false;
     int ret;
     u32 port_id;
     int max_port_num = hns_mac_get_max_port_num(dsaf_dev);
     struct hns_mac_cb *mac_cb;
     struct fwnode_handle *child;

     device_for_each_child_node(dsaf_dev->dev, child) {
         ret = fwnode_property_read_u32(child, "reg", &port_id);
         if (ret) {
             dev_err(dsaf_dev->dev,
                 "get reg fail, ret=%d!\n", ret);
             return ret;
         }
         if (port_id >= max_port_num) {
             dev_err(dsaf_dev->dev,
                 "reg(%u) out of range!\n", port_id);
             return -EINVAL;
         }

The port_id had limit to DSAF_MAX_PORT_NUM, so this patch is 
unnecessary, thanks!


On 2021/11/17 11:44, Teng Qi wrote:
> The if statement:
>    if (port >= DSAF_GE_NUM)
>          return;
> 
> limits the value of port less than DSAF_GE_NUM (i.e., 8).
> However, if the value of port is 6 or 7, an array overflow could occur:
>    port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
> 
> because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).
> 
> To fix this possible array overflow, we first check port and if it is
> greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
> 
> Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
> Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
> ---
>   drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
> index 23d9cbf262c3..740850b64aff 100644
> --- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
> +++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
> @@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
>   		return;
>   
>   	if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
> +		/* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
> +		   We need check to prevent array overflow */
> +		if (port >= DSAF_MAX_PORT_NUM)
> +			return;
>   		reg_val_1  = 0x1 << port;
>   		port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
>   		/* there is difference between V1 and V2 in register.*/
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-19  3:37 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-17  3:44 [PATCH] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() Teng Qi
2021-11-18 11:20 ` patchwork-bot+netdevbpf
2021-11-19  3:37 ` lipeng (Y)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).