From: "Di, ChenxuX" <chenxux.di@intel.com>
To: "Ye, Xiaolong" <xiaolong.ye@intel.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>, "Xing, Beilei" <beilei.xing@intel.com>
Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue
Date: Thu, 7 May 2020 05:55:23 +0000 [thread overview]
Message-ID: <43808b691dbc487eae5d7a9686e03a29@intel.com> (raw)
In-Reply-To: <20200507051512.GB49901@intel.com>
Hi, xiaolong
> -----Original Message-----
> From: Ye, Xiaolong
> Sent: Thursday, May 7, 2020 1:15 PM
> To: Di, ChenxuX <chenxux.di@intel.com>
> Cc: dev@dpdk.org; Xing, Beilei <beilei.xing@intel.com>
> Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue
>
> On 05/07, Chenxu Di wrote:
> >This patch fixes (out-of-bounds read) coverity issue.
> >
> >Coverity issue: 357699
> >Coverity issue: 357694
> >Fixes: feaae285b342 ("net/i40e: support hash configuration in RSS
> >flow")
> >
> >Signed-off-by: Chenxu Di <chenxux.di@intel.com>
> >---
> > drivers/net/i40e/i40e_ethdev.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> >diff --git a/drivers/net/i40e/i40e_ethdev.c
> >b/drivers/net/i40e/i40e_ethdev.c index 749d85f54..6c295ac5a 100644
> >--- a/drivers/net/i40e/i40e_ethdev.c
> >+++ b/drivers/net/i40e/i40e_ethdev.c
> >@@ -13180,7 +13180,7 @@ i40e_rss_config_hash_function(struct i40e_pf *pf,
> > }
> >
> > for (j = I40E_FILTER_PCTYPE_INVALID + 1;
> >- j < I40E_FILTER_PCTYPE_MAX; j++) {
> >+ j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
>
> I see i is defined as uint32_t, why compare it to UINT64_BIT here?
> And could you specify where is the out of bounds read before the fix?
The UINT64_BIT is the define of 64. And i is just used as the index of pctypes_tbl[].
And the code is just copy the function i40e_set_hash_filter_global_config(),
So I don't why he use the define UINT64_BIT as the value 64.
>
> > if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
the out of bounds read is the pctypes_tbl[i]. the above code is that :
for (i = RTE_ETH_FLOW_UNKNOWN + 1; i < UINT64_BIT; i++) {
if (mask0 & (1UL << i))
break;
}
If the loop doesn't break; the value of i will be 64 while the length of pctypes_tbl[] is 64.
> > i40e_write_global_rx_ctl(hw,
> > I40E_GLQF_HSYM(j),
> >@@ -13312,7 +13312,7 @@ i40e_rss_clear_hash_function(struct i40e_pf *pf,
> > }
> >
> > for (j = I40E_FILTER_PCTYPE_INVALID + 1;
> >- j < I40E_FILTER_PCTYPE_MAX; j++) {
> >+ j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) {
> > if (pf->adapter->pctypes_tbl[i] & (1ULL << j))
> > i40e_write_global_rx_ctl(hw,
> > I40E_GLQF_HSYM(j),
> >--
> >2.17.1
> >
next prev parent reply other threads:[~2020-05-07 5:55 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-07 3:09 Chenxu Di
2020-05-07 5:15 ` Ye Xiaolong
2020-05-07 5:55 ` Di, ChenxuX [this message]
2020-05-07 6:30 ` Ye Xiaolong
2020-05-07 9:49 ` [dpdk-dev] [PATCH v2] " Chenxu Di
2020-05-08 2:26 ` Yang, Qiming
2020-05-08 2:36 ` Ye Xiaolong
2020-05-08 2:54 ` Yang, Qiming
2020-05-13 2:26 ` [dpdk-dev] [PATCH v3] " Chenxu Di
2020-05-13 6:51 ` Jeff Guo
2020-05-14 1:16 ` Di, ChenxuX
2020-05-14 6:17 ` Jeff Guo
2020-05-14 6:41 ` Di, ChenxuX
2020-05-14 7:07 ` [dpdk-dev] [PATCH v4] " Chenxu Di
2020-05-14 9:07 ` Jeff Guo
2020-05-15 3:22 ` Ye Xiaolong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43808b691dbc487eae5d7a9686e03a29@intel.com \
--to=chenxux.di@intel.com \
--cc=beilei.xing@intel.com \
--cc=dev@dpdk.org \
--cc=xiaolong.ye@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).