From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2D2594584B; Thu, 22 Aug 2024 21:49:15 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7822D42F95; Thu, 22 Aug 2024 21:48:32 +0200 (CEST) Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) by mails.dpdk.org (Postfix) with ESMTP id A3B2C42F8D for ; Thu, 22 Aug 2024 21:48:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1724356111; x=1755892111; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=26rfZKre3kC1RtcIlE5+0dR6bY7qKOx5mcPLtf72cjM=; b=ew76FKATdS1odycYBqoCwoorD7h2Ctx9fnFgcbnTbuts4zglcwno9R6X Qw8em+jXhJbS4cdlHY7WEARm98hrofLDkB/Pm/egCMPbH/zjFtZc0/eYD HwdxNIbnXA/qYCy1S2ZgGNxcekDUu15wLsylAiNvEibYuJBRi7YXufX2E dCAWb0AxrVfQuf4PYC0rVg9A+iWmif9Hi8V4vwkmPCxN4Ge2XXxIi+apq clscERs+iX+5g+RTVruxe+TuqCu9LJzy28v6umBUnEUPlL5z/6jZPhSlT qRloVsogJEJR+T2+lhBGArz3Vz7klVi8OwUrTjiDv0PVnBAl96lk/mVua g==; X-CSE-ConnectionGUID: QRJ3upVaTcmpJiabfaupjQ== X-CSE-MsgGUID: E64TtpLrR1Sz/fQktU21YA== X-IronPort-AV: E=McAfee;i="6700,10204,11172"; a="22979680" X-IronPort-AV: E=Sophos;i="6.10,168,1719903600"; d="scan'208";a="22979680" Received: from orviesa002.jf.intel.com ([10.64.159.142]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Aug 2024 12:48:30 -0700 X-CSE-ConnectionGUID: PUziMV6ZR/6ZrV6SMOf2Qg== X-CSE-MsgGUID: GD9H+RWySDKOgYCfqJoilQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,168,1719903600"; d="scan'208";a="92301453" Received: from unknown (HELO npf-hyd-clx-03..) ([10.145.170.182]) by orviesa002.jf.intel.com with ESMTP; 22 Aug 2024 12:48:28 -0700 From: Soumyadeep Hore To: bruce.richardson@intel.com, ian.stokes@intel.com, aman.deep.singh@intel.com Cc: dev@dpdk.org, shaiq.wani@intel.com Subject: [PATCH v2 08/12] net/ice: update iteration of TLVs in Preserved Fields Area Date: Thu, 22 Aug 2024 18:53:42 +0000 Message-ID: <20240822185346.221885-9-soumyadeep.hore@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240822185346.221885-1-soumyadeep.hore@intel.com> References: <20240822095612.216214-1-soumyadeep.hore@intel.com> <20240822185346.221885-1-soumyadeep.hore@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Correct the logic for determining the maximum PFA offset to include the extra last word. Additionally, make the driver robust against overflows by using check_add_overflow. This ensures that even if the NVM provides bogus data, the driver will not overflow, and will instead log a useful warning message. The check for whether the TLV length exceeds the PFA length is also removed, in favor of relying on the overflow warning instead. Signed-off-by: Soumyadeep Hore --- drivers/net/ice/base/ice_nvm.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 0124cef04c..56c6c96a95 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -469,6 +469,8 @@ int ice_read_sr_word(struct ice_hw *hw, u16 offset, u16 *data) return status; } +#define check_add_overflow __builtin_add_overflow + /** * ice_get_pfa_module_tlv - Reads sub module TLV from NVM PFA * @hw: pointer to hardware structure @@ -484,8 +486,7 @@ int ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, u16 module_type) { - u16 pfa_len, pfa_ptr; - u32 next_tlv; + u16 pfa_len, pfa_ptr, next_tlv, max_tlv; int status; status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); @@ -498,6 +499,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read PFA length.\n"); return status; } + + if (check_add_overflow(pfa_ptr, (u16)(pfa_len - 1), &max_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "PFA starts at offset %u. PFA length of %u caused 16-bit arithmetic overflow.\n", + pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } + /* The Preserved Fields Area contains a sequence of TLVs which define * its contents. The PFA length includes all of the TLVs, plus its * initial length word itself, *and* one final word at the end of all @@ -507,7 +515,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, * of TLVs to find the requested one. */ next_tlv = pfa_ptr + 1; - while (next_tlv < ((u32)pfa_ptr + pfa_len - 1)) { + while (next_tlv < max_tlv) { u16 tlv_sub_module_type; u16 tlv_len; @@ -524,10 +532,6 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n"); break; } - if (tlv_len > pfa_len) { - ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n"); - return ICE_ERR_INVAL_SIZE; - } if (tlv_sub_module_type == module_type) { if (tlv_len) { *module_tlv = (u16)next_tlv; @@ -536,10 +540,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, } return ICE_ERR_INVAL_SIZE; } - /* Check next TLV, i.e. current TLV pointer + length + 2 words - * (for current TLV's type and length) - */ - next_tlv = next_tlv + tlv_len + 2; + + if (check_add_overflow(next_tlv, (u16)2, &next_tlv) || + check_add_overflow(next_tlv, tlv_len, &next_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "TLV of type %u and length 0x%04x caused 16-bit arithmetic overflow. The PFA starts at 0x%04x and has length of 0x%04x\n", + tlv_sub_module_type, tlv_len, pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } } /* Module does not exist */ return ICE_ERR_DOES_NOT_EXIST; -- 2.43.0