From: Luca Boccassi <bluca@debian.org>
To: Ferruh Yigit <ferruh.yigit@amd.com>
Cc: dev@dpdk.org, stable@dpdk.org
Subject: Re: [PATCH] net/txgbe: fix out of bound access
Date: Thu, 16 Nov 2023 15:16:27 +0000 [thread overview]
Message-ID: <cf571a2480a37f933d481d476440f57deb00068b.camel@debian.org> (raw)
In-Reply-To: <20231116140718.4026676-1-ferruh.yigit@amd.com>
On Thu, 2023-11-16 at 14:07 +0000, Ferruh Yigit wrote:
> Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:
>
> In function 'txgbe_host_interface_command',
> inlined from 'txgbe_host_interface_command'
> at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
> inlined from 'txgbe_hic_reset'
> at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
> ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
> error: array subscript 2 is outside array bounds ofr
> 'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
> 145 | buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
> ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
> ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
> note: at offset 8 into object 'reset_cmd' of size 8
> 331 | struct txgbe_hic_reset reset_cmd;
> | ^~~~~~~~~
>
> Access to buffer done based on command code, the case complained by
> FW_RESET_CMD has short buffer but this code path only taken with command
> 0x30, so this shouldn't be a problem.
>
> Adding a size check before accessing to the buffer, as this is control
> plane code, additional check shouldn't hurt.
>
> [1]
> https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log
>
> [2]
> gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912
>
> Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
> Cc: stable@dpdk.org
>
> Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
> Signed-off-by: Ferruh Yigit <ferruh.yigit@amd.com>
> ---
> Cc: jiawenwu@trustnetic.com
> Cc: jianwang@trustnetic.com
>
> @Luca, I am not sure if this additional check will satisfy the compiler,
> can you please verify the patch?
>
> @Jiawen, there is a specific handling for command 0x30, from comment it
> looks like it is Read Flash command, but it looks like this command is
> not used by the driver, if this is correct can we remove the check
> completely? Removing can be simpler way to fix the compiler error.
> ---
> drivers/net/txgbe/base/txgbe_mng.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
> index df7145094f84..9797b1b8b5da 100644
> --- a/drivers/net/txgbe/base/txgbe_mng.c
> +++ b/drivers/net/txgbe/base/txgbe_mng.c
> @@ -147,6 +147,10 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
> * two byes instead of one byte
> */
> if (resp->cmd == 0x30) {
> + if (length < ((dword_len + 2) << 2)) {
> + err = TXGBE_ERR_HOST_INTERFACE_COMMAND;
> + goto rel_out;
> + }
> for (; bi < dword_len + 2; bi++)
> buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>
Thanks, this fixes the build:
https://build.opensuse.org/package/live_build_log/home:bluca:dpdk/dpdk-20.11/openSUSE_Factory_ARM/armv7l
Tested-by: Luca Boccassi <bluca@debian.org>
next prev parent reply other threads:[~2023-11-16 15:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-16 14:07 Ferruh Yigit
2023-11-16 15:16 ` Luca Boccassi [this message]
2023-11-17 2:45 ` Jiawen Wu
2023-11-17 9:15 ` Ferruh Yigit
2023-11-17 10:12 ` [PATCH v2] " Ferruh Yigit
2023-11-20 1:51 ` Jiawen Wu
2023-11-20 9:53 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cf571a2480a37f933d481d476440f57deb00068b.camel@debian.org \
--to=bluca@debian.org \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@amd.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).