patches for DPDK stable branches
 help / color / Atom feed
From: Kevin Traynor <ktraynor@redhat.com>
To: Tianfei Zhang <tianfei.zhang@intel.com>
Cc: Rosen Xu <rosen.xu@intel.com>, dpdk stable <stable@dpdk.org>
Subject: [dpdk-stable] patch 'raw/ifpga/base: fix use of untrusted scalar value' has been queued to LTS release 18.11.3
Date: Fri, 23 Aug 2019 10:43:29 +0100
Message-ID: <20190823094336.12078-39-ktraynor@redhat.com> (raw)
In-Reply-To: <20190823094336.12078-1-ktraynor@redhat.com>

Hi,

FYI, your patch has been queued to LTS release 18.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/28/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/1b084f38c075b089888186c65a476ffc7b4d57de

Thanks.

Kevin Traynor

---
From 1b084f38c075b089888186c65a476ffc7b4d57de Mon Sep 17 00:00:00 2001
From: Tianfei Zhang <tianfei.zhang@intel.com>
Date: Fri, 21 Jun 2019 16:40:13 +0800
Subject: [PATCH] raw/ifpga/base: fix use of untrusted scalar value

[ upstream commit 8234347f999daed5ddcbfd659260fed79abb537a ]

Add checking the buffer size and use
const char * for buffer declaration.

Coverity issue: 279449
Fixes: ef1e8ede ("raw/ifpga: add Intel FPGA bus rawdev driver")

Signed-off-by: Tianfei Zhang <tianfei.zhang@intel.com>
Acked-by: Rosen Xu <rosen.xu@intel.com>
---
 drivers/raw/ifpga_rawdev/base/ifpga_api.c     |  4 +--
 drivers/raw/ifpga_rawdev/base/ifpga_api.h     |  2 +-
 .../raw/ifpga_rawdev/base/ifpga_feature_dev.h |  2 +-
 drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c  | 27 +++++++++++--------
 drivers/raw/ifpga_rawdev/base/opae_hw_api.c   |  4 +--
 drivers/raw/ifpga_rawdev/base/opae_hw_api.h   |  4 +--
 drivers/raw/ifpga_rawdev/ifpga_rawdev.c       |  7 ++++-
 7 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_api.c b/drivers/raw/ifpga_rawdev/base/ifpga_api.c
index 540e171a0..a7ab0f705 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_api.c
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_api.c
@@ -184,5 +184,5 @@ struct opae_bridge_ops ifpga_br_ops = {
 
 /* Manager APIs */
-static int ifpga_mgr_flash(struct opae_manager *mgr, int id, void *buf,
+static int ifpga_mgr_flash(struct opae_manager *mgr, int id, const char *buf,
 			   u32 size, u64 *status)
 {
@@ -231,5 +231,5 @@ struct opae_adapter_ops ifpga_adapter_ops = {
  *   - <0: Error code returned in partial reconfiguration.
  **/
-int ifpga_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
+int ifpga_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
 	     u64 *status)
 {
diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_api.h b/drivers/raw/ifpga_rawdev/base/ifpga_api.h
index dae7ca14c..f203f3def 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_api.h
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_api.h
@@ -23,5 +23,5 @@ int ifpga_set_irq(struct ifpga_hw *hw, u32 fiu_id, u32 port_id,
 
 /* FME APIs */
-int ifpga_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
+int ifpga_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
 	     u64 *status);
 
diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h b/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h
index 4391f2fdf..a58dbdc70 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h
@@ -122,5 +122,5 @@ static inline int fpga_port_reset(struct ifpga_port_hw *port)
 }
 
-int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
+int do_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
 	  u64 *status);
 
diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c b/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c
index ec0beeb1a..cc91dff59 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c
@@ -224,6 +224,6 @@ static int fpga_pr_buf_load(struct ifpga_fme_hw *fme_dev,
 }
 
-static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
-		  u64 *status)
+static int fme_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer,
+		u32 size, u64 *status)
 {
 	struct feature_fme_header *fme_hdr;
@@ -270,5 +270,5 @@ static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
 	fpga_port_disable(port);
 
-	ret = fpga_pr_buf_load(fme, &info, (void *)buffer, size);
+	ret = fpga_pr_buf_load(fme, &info, buffer, size);
 
 	*status = info.pr_err;
@@ -281,10 +281,12 @@ static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
 }
 
-int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size, u64 *status)
+int do_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer,
+		u32 size, u64 *status)
 {
-	struct bts_header *bts_hdr;
-	void *buf;
+	const struct bts_header *bts_hdr;
+	const char *buf;
 	struct ifpga_port_hw *port;
 	int ret;
+	u32 header_size;
 
 	if (!buffer || size == 0) {
@@ -293,13 +295,16 @@ int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size, u64 *status)
 	}
 
-	bts_hdr = (struct bts_header *)buffer;
+	bts_hdr = (const struct bts_header *)buffer;
 
 	if (is_valid_bts(bts_hdr)) {
 		dev_info(hw, "this is a valid bitsteam..\n");
-		size -= (sizeof(struct bts_header) +
-				     bts_hdr->metadata_len);
-		buf = (u8 *)buffer + sizeof(struct bts_header) +
-			       bts_hdr->metadata_len;
+		header_size = sizeof(struct bts_header) +
+			bts_hdr->metadata_len;
+		if (size < header_size)
+			return -EINVAL;
+		size -= header_size;
+		buf = buffer + header_size;
 	} else {
+		dev_err(hw, "this is an invalid bitstream..\n");
 		return -EINVAL;
 	}
diff --git a/drivers/raw/ifpga_rawdev/base/opae_hw_api.c b/drivers/raw/ifpga_rawdev/base/opae_hw_api.c
index 1541b6798..ff0ed8c31 100644
--- a/drivers/raw/ifpga_rawdev/base/opae_hw_api.c
+++ b/drivers/raw/ifpga_rawdev/base/opae_hw_api.c
@@ -242,6 +242,6 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data)
  * Return: 0 on success, otherwise error code.
  */
-int opae_manager_flash(struct opae_manager *mgr, int id, void *buf, u32 size,
-		       u64 *status)
+int opae_manager_flash(struct opae_manager *mgr, int id, const char *buf,
+		u32 size, u64 *status)
 {
 	if (!mgr)
diff --git a/drivers/raw/ifpga_rawdev/base/opae_hw_api.h b/drivers/raw/ifpga_rawdev/base/opae_hw_api.h
index 332e0f3f6..2a2121c08 100644
--- a/drivers/raw/ifpga_rawdev/base/opae_hw_api.h
+++ b/drivers/raw/ifpga_rawdev/base/opae_hw_api.h
@@ -41,5 +41,5 @@ struct opae_manager {
 /* FIXME: add more management ops, e.g power/thermal and etc */
 struct opae_manager_ops {
-	int (*flash)(struct opae_manager *mgr, int id, void *buffer,
+	int (*flash)(struct opae_manager *mgr, int id, const char *buffer,
 		     u32 size, u64 *status);
 };
@@ -49,5 +49,5 @@ struct opae_manager *
 opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data);
 #define opae_manager_free(mgr) opae_free(mgr)
-int opae_manager_flash(struct opae_manager *mgr, int acc_id, void *buf,
+int opae_manager_flash(struct opae_manager *mgr, int acc_id, const char *buf,
 		       u32 size, u64 *status);
 
diff --git a/drivers/raw/ifpga_rawdev/ifpga_rawdev.c b/drivers/raw/ifpga_rawdev/ifpga_rawdev.c
index eff001b59..941616466 100644
--- a/drivers/raw/ifpga_rawdev/ifpga_rawdev.c
+++ b/drivers/raw/ifpga_rawdev/ifpga_rawdev.c
@@ -178,5 +178,5 @@ ifpga_rawdev_reset(struct rte_rawdev *dev)
 
 static int
-fpga_pr(struct rte_rawdev *raw_dev, u32 port_id, u64 *buffer, u32 size,
+fpga_pr(struct rte_rawdev *raw_dev, u32 port_id, const char *buffer, u32 size,
 			u64 *status)
 {
@@ -249,4 +249,9 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
 	}
 	buffer_size = file_stat.st_size;
+	if (buffer_size <= 0) {
+		ret = -EINVAL;
+		goto close_fd;
+	}
+
 	IFPGA_RAWDEV_PMD_INFO("bitstream file size: %zu\n", buffer_size);
 	buffer = rte_malloc(NULL, buffer_size, 0);
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-08-22 19:38:22.983366250 +0100
+++ 0039-raw-ifpga-base-fix-use-of-untrusted-scalar-value.patch	2019-08-22 19:38:20.472026045 +0100
@@ -1 +1 @@
-From 8234347f999daed5ddcbfd659260fed79abb537a Mon Sep 17 00:00:00 2001
+From 1b084f38c075b089888186c65a476ffc7b4d57de Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 8234347f999daed5ddcbfd659260fed79abb537a ]
+
@@ -11 +12,0 @@
-Cc: stable@dpdk.org
@@ -26 +27 @@
-index 3ddbcdc2a..53d101daf 100644
+index 540e171a0..a7ab0f705 100644
@@ -29 +30 @@
-@@ -183,5 +183,5 @@ struct opae_bridge_ops ifpga_br_ops = {
+@@ -184,5 +184,5 @@ struct opae_bridge_ops ifpga_br_ops = {
@@ -36 +37 @@
-@@ -325,5 +325,5 @@ struct opae_adapter_ops ifpga_adapter_ops = {
+@@ -231,5 +231,5 @@ struct opae_adapter_ops ifpga_adapter_ops = {
@@ -44 +45 @@
-index 4a247698c..051ab8276 100644
+index dae7ca14c..f203f3def 100644
@@ -47 +48 @@
-@@ -24,5 +24,5 @@ int ifpga_set_irq(struct ifpga_hw *hw, u32 fiu_id, u32 port_id,
+@@ -23,5 +23,5 @@ int ifpga_set_irq(struct ifpga_hw *hw, u32 fiu_id, u32 port_id,
@@ -55 +56 @@
-index bb9fcc289..e243d4273 100644
+index 4391f2fdf..a58dbdc70 100644
@@ -58 +59 @@
-@@ -150,5 +150,5 @@ static inline int fpga_port_reset(struct ifpga_port_hw *port)
+@@ -122,5 +122,5 @@ static inline int fpga_port_reset(struct ifpga_port_hw *port)
@@ -66 +67 @@
-index efa72660f..9997942d2 100644
+index ec0beeb1a..cc91dff59 100644
@@ -124 +125 @@
-index 0e117d05e..8964e7984 100644
+index 1541b6798..ff0ed8c31 100644
@@ -127 +128 @@
-@@ -245,6 +245,6 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops,
+@@ -242,6 +242,6 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data)
@@ -137 +138 @@
-index 383e751cb..63405a471 100644
+index 332e0f3f6..2a2121c08 100644
@@ -140 +141 @@
-@@ -45,5 +45,5 @@ struct opae_manager {
+@@ -41,5 +41,5 @@ struct opae_manager {
@@ -146,3 +147,3 @@
- 	int (*get_eth_group_region_info)(struct opae_manager *mgr,
-@@ -75,5 +75,5 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops,
- 		struct opae_manager_networking_ops *network_ops, void *data);
+ };
+@@ -49,5 +49,5 @@ struct opae_manager *
+ opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data);
@@ -153 +154 @@
- int opae_manager_get_eth_group_region_info(struct opae_manager *mgr,
+ 
@@ -155 +156 @@
-index 41be1a205..01aa917de 100644
+index eff001b59..941616466 100644
@@ -158 +159 @@
-@@ -226,5 +226,5 @@ ifpga_rawdev_reset(struct rte_rawdev *dev)
+@@ -178,5 +178,5 @@ ifpga_rawdev_reset(struct rte_rawdev *dev)
@@ -165 +166 @@
-@@ -297,4 +297,9 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
+@@ -249,4 +249,9 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,

  parent reply index

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-23  9:42 [dpdk-stable] patch 'net/bnx2x: fix warnings from invalid assert' " Kevin Traynor
2019-08-23  9:42 ` [dpdk-stable] patch 'net/qede: " Kevin Traynor
2019-08-23  9:42 ` [dpdk-stable] patch 'eal: correct log for alarm error' " Kevin Traynor
2019-08-23  9:42 ` [dpdk-stable] patch 'eal/linux: fix return after alarm registration failure' " Kevin Traynor
2019-08-23  9:42 ` [dpdk-stable] patch 'kernel/freebsd: fix module build on latest head' " Kevin Traynor
2019-08-23  9:42 ` [dpdk-stable] patch 'kernel/linux: fix modules install path' " Kevin Traynor
2019-08-23 10:04   ` Igor Ryzhov
2019-08-23  9:42 ` [dpdk-stable] patch 'ip_frag: fix IPv6 fragment size calculation' " Kevin Traynor
2019-08-23  9:42 ` [dpdk-stable] patch 'test/hash: fix off-by-one check on core count' " Kevin Traynor
2019-08-23  9:42 ` [dpdk-stable] patch 'test/hash: rectify slave id to point to valid cores' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'bus/vmbus: skip non-network devices' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'bpf: fix check array size' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'eal: hide internal hotplug function' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'vfio: remove incorrect experimental tag' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'mem: remove incorrect experimental tag on static symbol' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'telemetry: add missing header include' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'eal: fix positive error codes from probe/remove' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net/bnx2x: fix invalid free on unplug' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'drivers/net: fix double free on init failure' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net: fix encapsulation markers for inner L3 offset' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net/mlx5: fix 32-bit build' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net/netvsc: fix RSS offload settings' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net/netvsc: fix xstats id' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net/netvsc: fix xstats for VF device' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'doc: fix typos in flow API guide' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net: fix how L4 checksum choice is tested' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'eal/freebsd: fix init completion' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'raw/skeleton: fix test of attribute set/get' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'examples/l3fwd-vf: remove unused Rx/Tx configuration' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'doc: remove useless Rx configuration in l2fwd guide' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'test: add rawdev autotest to meson' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'event/dpaa2: fix timeout ticks' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'eventdev: fix doxygen comment' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'app/eventdev: fix order test port creation' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'test/eventdev: fix producer core validity checks' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'net/mvneta: fix ierror statistics' " Kevin Traynor
2019-08-25 11:41   ` [dpdk-stable] [EXT] " Liron Himi
2019-08-23  9:43 ` [dpdk-stable] patch 'net: fix definition of IPv6 traffic class mask' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'examples: fix pkg-config detection with older make' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'bpf: fix validate for function return value' " Kevin Traynor
2019-08-23  9:43 ` Kevin Traynor [this message]
2019-08-23  9:43 ` [dpdk-stable] patch 'raw/ifpga/base: fix physical address info' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'usertools: fix refresh binding infos' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'doc: add a note for multi-process in mempool guide' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'table: fix crash in LPM IPv6' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'test: fix autotest crash' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'telemetry: fix build' " Kevin Traynor
2019-08-23  9:43 ` [dpdk-stable] patch 'app/testpmd: fix offloads config' " Kevin Traynor
2019-08-23  9:59   ` Kevin Traynor
2019-09-04 17:44     ` Kevin Traynor
2019-09-05  2:14       ` Zhao1, Wei
2019-09-11 14:46         ` Kevin Traynor
2019-09-13  9:27           ` Iremonger, Bernard

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190823094336.12078-39-ktraynor@redhat.com \
    --to=ktraynor@redhat.com \
    --cc=rosen.xu@intel.com \
    --cc=stable@dpdk.org \
    --cc=tianfei.zhang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

patches for DPDK stable branches

Archives are clonable:
	git clone --mirror http://inbox.dpdk.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ http://inbox.dpdk.org/stable \
		stable@dpdk.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox