From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id D5FF0A00C5; Thu, 7 May 2020 07:55:30 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E55D11D9FD; Thu, 7 May 2020 07:55:29 +0200 (CEST) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 48E2F1D9FC for ; Thu, 7 May 2020 07:55:27 +0200 (CEST) IronPort-SDR: wPdjmMUzgr41Cv3F+4sXuoygFDJIOg0imNU2GC1/KQCNtIIUy3GcFfH3VxgpDRws9MdUrrPlXR D+WJwbaeLGDA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 May 2020 22:55:26 -0700 IronPort-SDR: orfFGV/kcgTSdqC/kbGX66iCGenHyqmuMukN0o8di9IMJd9V63eCA5RxHP9ufxHYvq5I3LLBy0 arrPlOrzUsBg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,362,1583222400"; d="scan'208";a="462029574" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by fmsmga006.fm.intel.com with ESMTP; 06 May 2020 22:55:26 -0700 Received: from shsmsx603.ccr.corp.intel.com (10.109.6.143) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 6 May 2020 22:55:25 -0700 Received: from shsmsx601.ccr.corp.intel.com (10.109.6.141) by SHSMSX603.ccr.corp.intel.com (10.109.6.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 7 May 2020 13:55:23 +0800 Received: from shsmsx601.ccr.corp.intel.com ([10.109.6.141]) by SHSMSX601.ccr.corp.intel.com ([10.109.6.141]) with mapi id 15.01.1713.004; Thu, 7 May 2020 13:55:23 +0800 From: "Di, ChenxuX" To: "Ye, Xiaolong" CC: "dev@dpdk.org" , "Xing, Beilei" Thread-Topic: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue Thread-Index: AQHWJB49ZakxAlnLjkOy42JMbcgjgKibjp8AgACNXhA= Date: Thu, 7 May 2020 05:55:23 +0000 Message-ID: <43808b691dbc487eae5d7a9686e03a29@intel.com> References: <20200507030928.42082-1-chenxux.di@intel.com> <20200507051512.GB49901@intel.com> In-Reply-To: <20200507051512.GB49901@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.36] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi, xiaolong > -----Original Message----- > From: Ye, Xiaolong > Sent: Thursday, May 7, 2020 1:15 PM > To: Di, ChenxuX > Cc: dev@dpdk.org; Xing, Beilei > Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix out of bounds read issue >=20 > On 05/07, Chenxu Di wrote: > >This patch fixes (out-of-bounds read) coverity issue. > > > >Coverity issue: 357699 > >Coverity issue: 357694 > >Fixes: feaae285b342 ("net/i40e: support hash configuration in RSS > >flow") > > > >Signed-off-by: Chenxu Di > >--- > > drivers/net/i40e/i40e_ethdev.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > >diff --git a/drivers/net/i40e/i40e_ethdev.c > >b/drivers/net/i40e/i40e_ethdev.c index 749d85f54..6c295ac5a 100644 > >--- a/drivers/net/i40e/i40e_ethdev.c > >+++ b/drivers/net/i40e/i40e_ethdev.c > >@@ -13180,7 +13180,7 @@ i40e_rss_config_hash_function(struct i40e_pf *pf= , > > } > > > > for (j =3D I40E_FILTER_PCTYPE_INVALID + 1; > >- j < I40E_FILTER_PCTYPE_MAX; j++) { > >+ j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) { >=20 > I see i is defined as uint32_t, why compare it to UINT64_BIT here? > And could you specify where is the out of bounds read before the fix? The UINT64_BIT is the define of 64. And i is just used as the index of pcty= pes_tbl[]. And the code is just copy the function i40e_set_hash_filter_global_config()= , So I don't why he use the define UINT64_BIT as the value 64. >=20 > > if (pf->adapter->pctypes_tbl[i] & (1ULL << j)) the out of bounds read is the pctypes_tbl[i]. the above code is that : for (i =3D RTE_ETH_FLOW_UNKNOWN + 1; i < UINT64_BIT; i++) { if (mask0 & (1UL << i)) break; } If the loop doesn't break; the value of i will be 64 while the length of pc= types_tbl[] is 64. > > i40e_write_global_rx_ctl(hw, > > I40E_GLQF_HSYM(j), > >@@ -13312,7 +13312,7 @@ i40e_rss_clear_hash_function(struct i40e_pf *pf, > > } > > > > for (j =3D I40E_FILTER_PCTYPE_INVALID + 1; > >- j < I40E_FILTER_PCTYPE_MAX; j++) { > >+ j < I40E_FILTER_PCTYPE_MAX && i < UINT64_BIT; j++) { > > if (pf->adapter->pctypes_tbl[i] & (1ULL << j)) > > i40e_write_global_rx_ctl(hw, > > I40E_GLQF_HSYM(j), > >-- > >2.17.1 > >