From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5205E45500; Wed, 26 Jun 2024 14:00:02 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 55B09433E3; Wed, 26 Jun 2024 13:55:53 +0200 (CEST) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.9]) by mails.dpdk.org (Postfix) with ESMTP id 01A7942E95 for ; Wed, 26 Jun 2024 13:44:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1719402256; x=1750938256; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=RU1ecA7tdvGTPpOv9JGpnLuyhcgnyWj1qBRlv6sqCaw=; b=DVS+wPje5zcVc5U1s5I96x6yYjPiDSNMLXK3CM6AvX9sg9wCGeVyP0Bl N363DhAHzA7yY4Cc2ziDJ5l0zKUPjQO/y7tY/OZpjE0g7Sw0KTKdOxV91 SyC82Y8HJuLKTt8OPZnS31c7S02YK3rsd4Uksbs6jYgJQoKOXJNMRddJj xNPhU3cRKQIBJhepoc/lP5o6q8H+MsAg41xMsgfhMq7qPBFoetiE6AxpV 64FgBJqD3B/JDpjIMq0iBHXM3g5g6OOj69+HqMN/EFUEmxgrFIjnKa/l1 3fOrj3BVY77Lv/HmYntJoShuKpbrf4Ccn38CZhgLljsubrcsOoQI1P8BN w==; X-CSE-ConnectionGUID: iHPHj+ZrTkGKvXQZKCNpTg== X-CSE-MsgGUID: 9QZNRzAjTVif5sxrh+wn7Q== X-IronPort-AV: E=McAfee;i="6700,10204,11114"; a="38979419" X-IronPort-AV: E=Sophos;i="6.08,266,1712646000"; d="scan'208";a="38979419" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by orvoesa101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Jun 2024 04:44:15 -0700 X-CSE-ConnectionGUID: +NJ79s4XR26fH5fiGYjSZA== X-CSE-MsgGUID: 7FHWQ1PfRdSN5qE7AQR1aQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,266,1712646000"; d="scan'208";a="43873920" Received: from unknown (HELO silpixa00401119.ir.intel.com) ([10.55.129.167]) by orviesa010.jf.intel.com with ESMTP; 26 Jun 2024 04:44:15 -0700 From: Anatoly Burakov To: dev@dpdk.org Cc: Paul Greenwalt , ian.stokes@intel.com, bruce.richardson@intel.com Subject: [PATCH v4 045/103] net/ice/base: fix potential TLV length overflow Date: Wed, 26 Jun 2024 12:41:33 +0100 Message-ID: <1e17609676a60249bcd31735881e8f35d00d2d8e.1719401848.git.anatoly.burakov@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Paul Greenwalt It's possible that an NVM with an invalid tlv_len could cause an integer overflow of next_tlv which can result an infinite loop. Fix this issue by changing next_tlv from u16 to u32 to prevent overflow. Also check that tlv_len is valid and less than pfa_len. Fix an issue with conversion from 'u32' to 'u16', possible loss of data compile errors by making appropriate casts. Signed-off-by: Paul Greenwalt Signed-off-by: Dan Nowlin Signed-off-by: Ian Stokes --- drivers/net/ice/base/ice_nvm.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 79b66fa70f..811bbc9bbc 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, u16 module_type) { u16 pfa_len, pfa_ptr; - u16 next_tlv; + u32 next_tlv; int status; status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); @@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, * of TLVs to find the requested one. */ next_tlv = pfa_ptr + 1; - while (next_tlv < pfa_ptr + pfa_len) { + while (next_tlv < ((u32)pfa_ptr + pfa_len)) { u16 tlv_sub_module_type; u16 tlv_len; /* Read TLV type */ - status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type); + status = ice_read_sr_word(hw, (u16)next_tlv, + &tlv_sub_module_type); if (status) { ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n"); break; } /* Read TLV length */ - status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len); + status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len); if (status) { ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n"); break; } + if (tlv_len > pfa_len) { + ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n"); + return ICE_ERR_INVAL_SIZE; + } if (tlv_sub_module_type == module_type) { if (tlv_len) { - *module_tlv = next_tlv; + *module_tlv = (u16)next_tlv; *module_tlv_len = tlv_len; return 0; } -- 2.43.0