From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 42D8AA046B
	for <public@inbox.dpdk.org>; Fri, 23 Aug 2019 11:45:14 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 3B9301BFA6;
	Fri, 23 Aug 2019 11:45:14 +0200 (CEST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id 1EDD91BF9E
 for <stable@dpdk.org>; Fri, 23 Aug 2019 11:45:13 +0200 (CEST)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 36043300157A;
 Fri, 23 Aug 2019 09:45:12 +0000 (UTC)
Received: from rh.redhat.com (ovpn-116-48.ams2.redhat.com [10.36.116.48])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 308785C226;
 Fri, 23 Aug 2019 09:45:10 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Tianfei Zhang <tianfei.zhang@intel.com>
Cc: Rosen Xu <rosen.xu@intel.com>,
	dpdk stable <stable@dpdk.org>
Date: Fri, 23 Aug 2019 10:43:29 +0100
Message-Id: <20190823094336.12078-39-ktraynor@redhat.com>
In-Reply-To: <20190823094336.12078-1-ktraynor@redhat.com>
References: <20190823094336.12078-1-ktraynor@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.46]); Fri, 23 Aug 2019 09:45:12 +0000 (UTC)
Subject: [dpdk-stable] patch 'raw/ifpga/base: fix use of untrusted scalar
	value' has been queued to LTS release 18.11.3
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to LTS release 18.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/28/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/1b084f38c075b089888186c65a476ffc7b4d57de

Thanks.

Kevin Traynor

---
>From 1b084f38c075b089888186c65a476ffc7b4d57de Mon Sep 17 00:00:00 2001
From: Tianfei Zhang <tianfei.zhang@intel.com>
Date: Fri, 21 Jun 2019 16:40:13 +0800
Subject: [PATCH] raw/ifpga/base: fix use of untrusted scalar value

[ upstream commit 8234347f999daed5ddcbfd659260fed79abb537a ]

Add checking the buffer size and use
const char * for buffer declaration.

Coverity issue: 279449
Fixes: ef1e8ede ("raw/ifpga: add Intel FPGA bus rawdev driver")

Signed-off-by: Tianfei Zhang <tianfei.zhang@intel.com>
Acked-by: Rosen Xu <rosen.xu@intel.com>
---
 drivers/raw/ifpga_rawdev/base/ifpga_api.c     |  4 +--
 drivers/raw/ifpga_rawdev/base/ifpga_api.h     |  2 +-
 .../raw/ifpga_rawdev/base/ifpga_feature_dev.h |  2 +-
 drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c  | 27 +++++++++++--------
 drivers/raw/ifpga_rawdev/base/opae_hw_api.c   |  4 +--
 drivers/raw/ifpga_rawdev/base/opae_hw_api.h   |  4 +--
 drivers/raw/ifpga_rawdev/ifpga_rawdev.c       |  7 ++++-
 7 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_api.c b/drivers/raw/ifpga_rawdev/base/ifpga_api.c
index 540e171a0..a7ab0f705 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_api.c
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_api.c
@@ -184,5 +184,5 @@ struct opae_bridge_ops ifpga_br_ops = {
 
 /* Manager APIs */
-static int ifpga_mgr_flash(struct opae_manager *mgr, int id, void *buf,
+static int ifpga_mgr_flash(struct opae_manager *mgr, int id, const char *buf,
 			   u32 size, u64 *status)
 {
@@ -231,5 +231,5 @@ struct opae_adapter_ops ifpga_adapter_ops = {
  *   - <0: Error code returned in partial reconfiguration.
  **/
-int ifpga_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
+int ifpga_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
 	     u64 *status)
 {
diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_api.h b/drivers/raw/ifpga_rawdev/base/ifpga_api.h
index dae7ca14c..f203f3def 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_api.h
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_api.h
@@ -23,5 +23,5 @@ int ifpga_set_irq(struct ifpga_hw *hw, u32 fiu_id, u32 port_id,
 
 /* FME APIs */
-int ifpga_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
+int ifpga_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
 	     u64 *status);
 
diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h b/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h
index 4391f2fdf..a58dbdc70 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h
@@ -122,5 +122,5 @@ static inline int fpga_port_reset(struct ifpga_port_hw *port)
 }
 
-int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
+int do_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
 	  u64 *status);
 
diff --git a/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c b/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c
index ec0beeb1a..cc91dff59 100644
--- a/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c
+++ b/drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c
@@ -224,6 +224,6 @@ static int fpga_pr_buf_load(struct ifpga_fme_hw *fme_dev,
 }
 
-static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
-		  u64 *status)
+static int fme_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer,
+		u32 size, u64 *status)
 {
 	struct feature_fme_header *fme_hdr;
@@ -270,5 +270,5 @@ static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
 	fpga_port_disable(port);
 
-	ret = fpga_pr_buf_load(fme, &info, (void *)buffer, size);
+	ret = fpga_pr_buf_load(fme, &info, buffer, size);
 
 	*status = info.pr_err;
@@ -281,10 +281,12 @@ static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
 }
 
-int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size, u64 *status)
+int do_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer,
+		u32 size, u64 *status)
 {
-	struct bts_header *bts_hdr;
-	void *buf;
+	const struct bts_header *bts_hdr;
+	const char *buf;
 	struct ifpga_port_hw *port;
 	int ret;
+	u32 header_size;
 
 	if (!buffer || size == 0) {
@@ -293,13 +295,16 @@ int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size, u64 *status)
 	}
 
-	bts_hdr = (struct bts_header *)buffer;
+	bts_hdr = (const struct bts_header *)buffer;
 
 	if (is_valid_bts(bts_hdr)) {
 		dev_info(hw, "this is a valid bitsteam..\n");
-		size -= (sizeof(struct bts_header) +
-				     bts_hdr->metadata_len);
-		buf = (u8 *)buffer + sizeof(struct bts_header) +
-			       bts_hdr->metadata_len;
+		header_size = sizeof(struct bts_header) +
+			bts_hdr->metadata_len;
+		if (size < header_size)
+			return -EINVAL;
+		size -= header_size;
+		buf = buffer + header_size;
 	} else {
+		dev_err(hw, "this is an invalid bitstream..\n");
 		return -EINVAL;
 	}
diff --git a/drivers/raw/ifpga_rawdev/base/opae_hw_api.c b/drivers/raw/ifpga_rawdev/base/opae_hw_api.c
index 1541b6798..ff0ed8c31 100644
--- a/drivers/raw/ifpga_rawdev/base/opae_hw_api.c
+++ b/drivers/raw/ifpga_rawdev/base/opae_hw_api.c
@@ -242,6 +242,6 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data)
  * Return: 0 on success, otherwise error code.
  */
-int opae_manager_flash(struct opae_manager *mgr, int id, void *buf, u32 size,
-		       u64 *status)
+int opae_manager_flash(struct opae_manager *mgr, int id, const char *buf,
+		u32 size, u64 *status)
 {
 	if (!mgr)
diff --git a/drivers/raw/ifpga_rawdev/base/opae_hw_api.h b/drivers/raw/ifpga_rawdev/base/opae_hw_api.h
index 332e0f3f6..2a2121c08 100644
--- a/drivers/raw/ifpga_rawdev/base/opae_hw_api.h
+++ b/drivers/raw/ifpga_rawdev/base/opae_hw_api.h
@@ -41,5 +41,5 @@ struct opae_manager {
 /* FIXME: add more management ops, e.g power/thermal and etc */
 struct opae_manager_ops {
-	int (*flash)(struct opae_manager *mgr, int id, void *buffer,
+	int (*flash)(struct opae_manager *mgr, int id, const char *buffer,
 		     u32 size, u64 *status);
 };
@@ -49,5 +49,5 @@ struct opae_manager *
 opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data);
 #define opae_manager_free(mgr) opae_free(mgr)
-int opae_manager_flash(struct opae_manager *mgr, int acc_id, void *buf,
+int opae_manager_flash(struct opae_manager *mgr, int acc_id, const char *buf,
 		       u32 size, u64 *status);
 
diff --git a/drivers/raw/ifpga_rawdev/ifpga_rawdev.c b/drivers/raw/ifpga_rawdev/ifpga_rawdev.c
index eff001b59..941616466 100644
--- a/drivers/raw/ifpga_rawdev/ifpga_rawdev.c
+++ b/drivers/raw/ifpga_rawdev/ifpga_rawdev.c
@@ -178,5 +178,5 @@ ifpga_rawdev_reset(struct rte_rawdev *dev)
 
 static int
-fpga_pr(struct rte_rawdev *raw_dev, u32 port_id, u64 *buffer, u32 size,
+fpga_pr(struct rte_rawdev *raw_dev, u32 port_id, const char *buffer, u32 size,
 			u64 *status)
 {
@@ -249,4 +249,9 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
 	}
 	buffer_size = file_stat.st_size;
+	if (buffer_size <= 0) {
+		ret = -EINVAL;
+		goto close_fd;
+	}
+
 	IFPGA_RAWDEV_PMD_INFO("bitstream file size: %zu\n", buffer_size);
 	buffer = rte_malloc(NULL, buffer_size, 0);
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-08-22 19:38:22.983366250 +0100
+++ 0039-raw-ifpga-base-fix-use-of-untrusted-scalar-value.patch	2019-08-22 19:38:20.472026045 +0100
@@ -1 +1 @@
-From 8234347f999daed5ddcbfd659260fed79abb537a Mon Sep 17 00:00:00 2001
+From 1b084f38c075b089888186c65a476ffc7b4d57de Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 8234347f999daed5ddcbfd659260fed79abb537a ]
+
@@ -11 +12,0 @@
-Cc: stable@dpdk.org
@@ -26 +27 @@
-index 3ddbcdc2a..53d101daf 100644
+index 540e171a0..a7ab0f705 100644
@@ -29 +30 @@
-@@ -183,5 +183,5 @@ struct opae_bridge_ops ifpga_br_ops = {
+@@ -184,5 +184,5 @@ struct opae_bridge_ops ifpga_br_ops = {
@@ -36 +37 @@
-@@ -325,5 +325,5 @@ struct opae_adapter_ops ifpga_adapter_ops = {
+@@ -231,5 +231,5 @@ struct opae_adapter_ops ifpga_adapter_ops = {
@@ -44 +45 @@
-index 4a247698c..051ab8276 100644
+index dae7ca14c..f203f3def 100644
@@ -47 +48 @@
-@@ -24,5 +24,5 @@ int ifpga_set_irq(struct ifpga_hw *hw, u32 fiu_id, u32 port_id,
+@@ -23,5 +23,5 @@ int ifpga_set_irq(struct ifpga_hw *hw, u32 fiu_id, u32 port_id,
@@ -55 +56 @@
-index bb9fcc289..e243d4273 100644
+index 4391f2fdf..a58dbdc70 100644
@@ -58 +59 @@
-@@ -150,5 +150,5 @@ static inline int fpga_port_reset(struct ifpga_port_hw *port)
+@@ -122,5 +122,5 @@ static inline int fpga_port_reset(struct ifpga_port_hw *port)
@@ -66 +67 @@
-index efa72660f..9997942d2 100644
+index ec0beeb1a..cc91dff59 100644
@@ -124 +125 @@
-index 0e117d05e..8964e7984 100644
+index 1541b6798..ff0ed8c31 100644
@@ -127 +128 @@
-@@ -245,6 +245,6 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops,
+@@ -242,6 +242,6 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data)
@@ -137 +138 @@
-index 383e751cb..63405a471 100644
+index 332e0f3f6..2a2121c08 100644
@@ -140 +141 @@
-@@ -45,5 +45,5 @@ struct opae_manager {
+@@ -41,5 +41,5 @@ struct opae_manager {
@@ -146,3 +147,3 @@
- 	int (*get_eth_group_region_info)(struct opae_manager *mgr,
-@@ -75,5 +75,5 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops,
- 		struct opae_manager_networking_ops *network_ops, void *data);
+ };
+@@ -49,5 +49,5 @@ struct opae_manager *
+ opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data);
@@ -153 +154 @@
- int opae_manager_get_eth_group_region_info(struct opae_manager *mgr,
+ 
@@ -155 +156 @@
-index 41be1a205..01aa917de 100644
+index eff001b59..941616466 100644
@@ -158 +159 @@
-@@ -226,5 +226,5 @@ ifpga_rawdev_reset(struct rte_rawdev *dev)
+@@ -178,5 +178,5 @@ ifpga_rawdev_reset(struct rte_rawdev *dev)
@@ -165 +166 @@
-@@ -297,4 +297,9 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
+@@ -249,4 +249,9 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,