From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5975C45849; Fri, 23 Aug 2024 12:52:16 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0A98E4335A; Fri, 23 Aug 2024 12:51:39 +0200 (CEST) Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) by mails.dpdk.org (Postfix) with ESMTP id 54DAB43332 for ; Fri, 23 Aug 2024 12:51:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1724410297; x=1755946297; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=o5GPguPiITbCUIP1cmq3ufohajY0Kcx19KMUdeZRBlI=; b=T2MrsY0jILhCYoyI2VDH0qeh/hU6LgoqHUUJqHiBDSXHdrQ+0zycQPI+ Oep5S9rLiem9KBi1wSY6pAE2/JwUy0bqPpim4qlCGoWo1aTWsEVp3xKGk uoPl+o8BX4Vjqvyu+C2T4znwqqcT2o76cMy0gw8S5aDZg2BJK/3JZiOe8 jS3zI8EuRe0pR1hpOGNEMsESqftoqczS8GO5Ngz4drAMffuMJBnxA7Rm3 apI210+fqnsITN9nFetSk/Zt6nv+W8GqBsDaksOqN1WbpQQpFUyenor/K XLnn0LUC1KyZEYBio+1VSmGZSbH8kUNfnsvLrmdkrPvyZyxEadueBYrk9 g==; X-CSE-ConnectionGUID: eQgIZij2SQqUE5cd0VfKVw== X-CSE-MsgGUID: MqmtCoP3SpihngDiQzLPTg== X-IronPort-AV: E=McAfee;i="6700,10204,11172"; a="33535656" X-IronPort-AV: E=Sophos;i="6.10,170,1719903600"; d="scan'208";a="33535656" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Aug 2024 03:51:37 -0700 X-CSE-ConnectionGUID: 3AbIyAAgRm6De22ptbhXMw== X-CSE-MsgGUID: WiowLUu0RiyQtnsuGI4Rwg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,170,1719903600"; d="scan'208";a="61617740" Received: from unknown (HELO npf-hyd-clx-03..) ([10.145.170.182]) by orviesa010.jf.intel.com with ESMTP; 23 Aug 2024 03:51:35 -0700 From: Soumyadeep Hore To: bruce.richardson@intel.com, ian.stokes@intel.com, aman.deep.singh@intel.com Cc: dev@dpdk.org, shaiq.wani@intel.com, Fabio Pricoco Subject: [PATCH v3 08/12] net/ice: update iteration of TLVs in Preserved Fields Area Date: Fri, 23 Aug 2024 09:56:46 +0000 Message-ID: <20240823095650.349785-9-soumyadeep.hore@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240823095650.349785-1-soumyadeep.hore@intel.com> References: <20240822185346.221885-13-soumyadeep.hore@intel.com> <20240823095650.349785-1-soumyadeep.hore@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Fabio Pricoco Correct the logic for determining the maximum PFA offset to include the extra last word. Additionally, make the driver robust against overflows by using check_add_overflow. This ensures that even if the NVM provides bogus data, the driver will not overflow, and will instead log a useful warning message. The check for whether the TLV length exceeds the PFA length is also removed, in favor of relying on the overflow warning instead. Signed-off-by: Fabio Pricoco Signed-off-by: Soumyadeep Hore --- drivers/net/ice/base/ice_nvm.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 0124cef04c..56c6c96a95 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -469,6 +469,8 @@ int ice_read_sr_word(struct ice_hw *hw, u16 offset, u16 *data) return status; } +#define check_add_overflow __builtin_add_overflow + /** * ice_get_pfa_module_tlv - Reads sub module TLV from NVM PFA * @hw: pointer to hardware structure @@ -484,8 +486,7 @@ int ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, u16 module_type) { - u16 pfa_len, pfa_ptr; - u32 next_tlv; + u16 pfa_len, pfa_ptr, next_tlv, max_tlv; int status; status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); @@ -498,6 +499,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read PFA length.\n"); return status; } + + if (check_add_overflow(pfa_ptr, (u16)(pfa_len - 1), &max_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "PFA starts at offset %u. PFA length of %u caused 16-bit arithmetic overflow.\n", + pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } + /* The Preserved Fields Area contains a sequence of TLVs which define * its contents. The PFA length includes all of the TLVs, plus its * initial length word itself, *and* one final word at the end of all @@ -507,7 +515,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, * of TLVs to find the requested one. */ next_tlv = pfa_ptr + 1; - while (next_tlv < ((u32)pfa_ptr + pfa_len - 1)) { + while (next_tlv < max_tlv) { u16 tlv_sub_module_type; u16 tlv_len; @@ -524,10 +532,6 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n"); break; } - if (tlv_len > pfa_len) { - ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n"); - return ICE_ERR_INVAL_SIZE; - } if (tlv_sub_module_type == module_type) { if (tlv_len) { *module_tlv = (u16)next_tlv; @@ -536,10 +540,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, } return ICE_ERR_INVAL_SIZE; } - /* Check next TLV, i.e. current TLV pointer + length + 2 words - * (for current TLV's type and length) - */ - next_tlv = next_tlv + tlv_len + 2; + + if (check_add_overflow(next_tlv, (u16)2, &next_tlv) || + check_add_overflow(next_tlv, tlv_len, &next_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "TLV of type %u and length 0x%04x caused 16-bit arithmetic overflow. The PFA starts at 0x%04x and has length of 0x%04x\n", + tlv_sub_module_type, tlv_len, pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } } /* Module does not exist */ return ICE_ERR_DOES_NOT_EXIST; -- 2.43.0