From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D2FC145845; Thu, 22 Aug 2024 12:51:45 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E439542EDD; Thu, 22 Aug 2024 12:51:05 +0200 (CEST) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.20]) by mails.dpdk.org (Postfix) with ESMTP id F0B8442EC7 for ; Thu, 22 Aug 2024 12:51:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1724323862; x=1755859862; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=26rfZKre3kC1RtcIlE5+0dR6bY7qKOx5mcPLtf72cjM=; b=koBOnOMpRxgbIUH3Jcp/3gnKdj9OVHRc/QTo2FwrE55WHXZLcu5W9RYv 7AeQR4rXcVvv0P6BkIeeaBTzejQfmpgwnXhbATIcJUeI8ZC8acWlRCFD6 uzvUZKo7GL5Kfty6eWWFGqTLRCa0WurOU/MsDVENxBLv8BKkWEC2h/d18 pVajXtlx8+ouC3VfSzqWpcBt3s6F2l3uW/uRZDNJE/YzqcGlpW5Ku3NSF /a6hodoeGElqJJCv/YF2no6+ERD+UgNBlaK8xAMfqQRaNBuYPW0wsw306 PwuVrktXj6wvn/z6KTlZy4wZ9L1zSPmfyGB+RBdQjgWKqiQ+7YX/DGAzV A==; X-CSE-ConnectionGUID: 1f9y5uoYTMulL8mWxR2s2w== X-CSE-MsgGUID: wUSApumLSU2Kj9schfsYAA== X-IronPort-AV: E=McAfee;i="6700,10204,11171"; a="22542281" X-IronPort-AV: E=Sophos;i="6.10,166,1719903600"; d="scan'208";a="22542281" Received: from fmviesa010.fm.intel.com ([10.60.135.150]) by orvoesa112.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Aug 2024 03:51:02 -0700 X-CSE-ConnectionGUID: 5fDo3/fbQWiFUGlRF5AdSg== X-CSE-MsgGUID: +KEljAaEQkiH3z07oMozMA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,166,1719903600"; d="scan'208";a="61559750" Received: from unknown (HELO npf-hyd-clx-03..) ([10.145.170.182]) by fmviesa010.fm.intel.com with ESMTP; 22 Aug 2024 03:50:59 -0700 From: Soumyadeep Hore To: bruce.richardson@intel.com, ian.stokes@intel.com, aman.deep.singh@intel.com Cc: dev@dpdk.org, shaiq.wani@intel.com Subject: [PATCH v1 08/12] net/ice: update iteration of TLVs in Preserved Fields Area Date: Thu, 22 Aug 2024 09:56:08 +0000 Message-ID: <20240822095612.216214-9-soumyadeep.hore@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240822095612.216214-1-soumyadeep.hore@intel.com> References: <20240822095612.216214-1-soumyadeep.hore@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Correct the logic for determining the maximum PFA offset to include the extra last word. Additionally, make the driver robust against overflows by using check_add_overflow. This ensures that even if the NVM provides bogus data, the driver will not overflow, and will instead log a useful warning message. The check for whether the TLV length exceeds the PFA length is also removed, in favor of relying on the overflow warning instead. Signed-off-by: Soumyadeep Hore --- drivers/net/ice/base/ice_nvm.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 0124cef04c..56c6c96a95 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -469,6 +469,8 @@ int ice_read_sr_word(struct ice_hw *hw, u16 offset, u16 *data) return status; } +#define check_add_overflow __builtin_add_overflow + /** * ice_get_pfa_module_tlv - Reads sub module TLV from NVM PFA * @hw: pointer to hardware structure @@ -484,8 +486,7 @@ int ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, u16 module_type) { - u16 pfa_len, pfa_ptr; - u32 next_tlv; + u16 pfa_len, pfa_ptr, next_tlv, max_tlv; int status; status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); @@ -498,6 +499,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read PFA length.\n"); return status; } + + if (check_add_overflow(pfa_ptr, (u16)(pfa_len - 1), &max_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "PFA starts at offset %u. PFA length of %u caused 16-bit arithmetic overflow.\n", + pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } + /* The Preserved Fields Area contains a sequence of TLVs which define * its contents. The PFA length includes all of the TLVs, plus its * initial length word itself, *and* one final word at the end of all @@ -507,7 +515,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, * of TLVs to find the requested one. */ next_tlv = pfa_ptr + 1; - while (next_tlv < ((u32)pfa_ptr + pfa_len - 1)) { + while (next_tlv < max_tlv) { u16 tlv_sub_module_type; u16 tlv_len; @@ -524,10 +532,6 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n"); break; } - if (tlv_len > pfa_len) { - ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n"); - return ICE_ERR_INVAL_SIZE; - } if (tlv_sub_module_type == module_type) { if (tlv_len) { *module_tlv = (u16)next_tlv; @@ -536,10 +540,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, } return ICE_ERR_INVAL_SIZE; } - /* Check next TLV, i.e. current TLV pointer + length + 2 words - * (for current TLV's type and length) - */ - next_tlv = next_tlv + tlv_len + 2; + + if (check_add_overflow(next_tlv, (u16)2, &next_tlv) || + check_add_overflow(next_tlv, tlv_len, &next_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "TLV of type %u and length 0x%04x caused 16-bit arithmetic overflow. The PFA starts at 0x%04x and has length of 0x%04x\n", + tlv_sub_module_type, tlv_len, pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } } /* Module does not exist */ return ICE_ERR_DOES_NOT_EXIST; -- 2.43.0