Re: [PATCH] net/txgbe: fix out of bound access

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Ferruh Yigit <ferruh.yigit@amd.com>
To: Jiawen Wu <jiawenwu@trustnetic.com>,
	'Jian Wang' <jianwang@trustnetic.com>,
	'Ferruh Yigit' <ferruh.yigit@intel.com>
Cc: dev@dpdk.org, stable@dpdk.org,
	'Luca Boccassi' <luca.boccassi@microsoft.com>
Subject: Re: [PATCH] net/txgbe: fix out of bound access
Date: Fri, 17 Nov 2023 09:15:20 +0000	[thread overview]
Message-ID: <9b22ba19-3b55-4624-96ea-c85ee541485c@amd.com> (raw)
In-Reply-To: <0c7201da1900$28c7d450$7a577cf0$@trustnetic.com>

On 11/17/2023 2:45 AM, Jiawen Wu wrote:
> On Thursday, November 16, 2023 10:07 PM, Ferruh.Yigit@amd.com wrote:
>> Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:
>>
>>  In function 'txgbe_host_interface_command',
>>      inlined from 'txgbe_host_interface_command'
>>              at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
>>      inlined from 'txgbe_hic_reset'
>>              at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
>>  ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
>>     error: array subscript 2 is outside array bounds ofr
>>            'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
>>    145 |                     buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>>  ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
>>  ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
>>     note: at offset 8 into object 'reset_cmd' of size 8
>>    331 |         struct txgbe_hic_reset reset_cmd;
>>        |                                ^~~~~~~~~
>>
>> Access to buffer done based on command code, the case complained by
>> FW_RESET_CMD has short buffer but this code path only taken with command
>> 0x30, so this shouldn't be a problem.
>>
>> Adding a size check before accessing to the buffer, as this is control
>> plane code, additional check shouldn't hurt.
>>
>> [1]
>> https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log
>>
>> [2]
>> gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912
>>
>> Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
>> Cc: stable@dpdk.org
>>
>> Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
>> Signed-off-by: Ferruh Yigit <ferruh.yigit@amd.com>
>> ---
>> Cc: jiawenwu@trustnetic.com
>> Cc: jianwang@trustnetic.com
>>
>> @Luca, I am not sure if this additional check will satisfy the compiler,
>> can you please verify the patch?
>>
>> @Jiawen, there is a specific handling for command 0x30, from comment it
>> looks like it is Read Flash command, but it looks like this command is
>> not used by the driver, if this is correct can we remove the check
>> completely? Removing can be simpler way to fix the compiler error.
> 
> Thanks Ferruh. This command has been removed because flash can be read
> directly by the driver. The check can be simply removed.
> 

OK, I will send a new version for it.

>> ---
>>  drivers/net/txgbe/base/txgbe_mng.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
>> index df7145094f84..9797b1b8b5da 100644
>> --- a/drivers/net/txgbe/base/txgbe_mng.c
>> +++ b/drivers/net/txgbe/base/txgbe_mng.c
>> @@ -147,6 +147,10 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
>>  	 * two byes instead of one byte
>>  	 */
>>  	if (resp->cmd == 0x30) {
>> +		if (length < ((dword_len + 2) << 2)) {
>> +			err = TXGBE_ERR_HOST_INTERFACE_COMMAND;
>> +			goto rel_out;
>> +		}
>>  		for (; bi < dword_len + 2; bi++)
>>  			buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>>
>> --
>> 2.34.1
>>
>

next prev parent reply	other threads:[~2023-11-17  9:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-16 14:07 Ferruh Yigit
2023-11-16 15:16 ` Luca Boccassi
2023-11-17  2:45 ` Jiawen Wu
2023-11-17  9:15   ` Ferruh Yigit [this message]
2023-11-17 10:12 ` [PATCH v2] " Ferruh Yigit
2023-11-20  1:51   ` Jiawen Wu
2023-11-20  9:53     ` Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9b22ba19-3b55-4624-96ea-c85ee541485c@amd.com \
    --to=ferruh.yigit@amd.com \
    --cc=dev@dpdk.org \
    --cc=ferruh.yigit@intel.com \
    --cc=jianwang@trustnetic.com \
    --cc=jiawenwu@trustnetic.com \
    --cc=luca.boccassi@microsoft.com \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).