Anoob Joseph (3): crypto/octeontx: fix non null terminated string crypto/octeontx: fix null pointer dereferencing crypto/octeontx: fix null pointer dereferencing drivers/crypto/octeontx/otx_cryptodev.c | 2 +- drivers/crypto/octeontx/otx_cryptodev_hw_access.c | 5 ++++- drivers/crypto/octeontx/otx_cryptodev_ops.c | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) -- 2.7.4
If the length of string pointed by 'name' is equal to or greater than the sizeof cptvf->dev_name string, the resultant string will not be null terminated. Using strlcpy would make sure the string would always be null terminated. Fixes: 0dc1cffa4d33 ("crypto/octeontx: add hardware init routine") Signed-off-by: Ankur Dwivedi <ankur.dwivedi@caviumnetworks.com> Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com> --- drivers/crypto/octeontx/otx_cryptodev_hw_access.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/octeontx/otx_cryptodev_hw_access.c b/drivers/crypto/octeontx/otx_cryptodev_hw_access.c index 5e705a8..18f2e6b 100644 --- a/drivers/crypto/octeontx/otx_cryptodev_hw_access.c +++ b/drivers/crypto/octeontx/otx_cryptodev_hw_access.c @@ -9,6 +9,7 @@ #include <rte_common.h> #include <rte_errno.h> #include <rte_memzone.h> +#include <rte_string_fns.h> #include "otx_cryptodev_hw_access.h" #include "otx_cryptodev_mbox.h" @@ -366,7 +367,9 @@ otx_cpt_hw_init(struct cpt_vf *cptvf, void *pdev, void *reg_base, char *name) /* Bar0 base address */ cptvf->reg_base = reg_base; - strncpy(cptvf->dev_name, name, 32); + + /* Save device name */ + strlcpy(cptvf->dev_name, name, (sizeof(cptvf->dev_name))); cptvf->pdev = pdev; -- 2.7.4
Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton") Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com> --- drivers/crypto/octeontx/otx_cryptodev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/octeontx/otx_cryptodev.c b/drivers/crypto/octeontx/otx_cryptodev.c index 269f045..b201e0a 100644 --- a/drivers/crypto/octeontx/otx_cryptodev.c +++ b/drivers/crypto/octeontx/otx_cryptodev.c @@ -100,8 +100,8 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev) if (rte_eal_process_type() == RTE_PROC_PRIMARY) rte_free(cryptodev->data->dev_private); - cryptodev->device = NULL; cryptodev->device->driver = NULL; + cryptodev->device = NULL; cryptodev->data = NULL; /* free metapool memory */ -- 2.7.4
The function otx_cpt_get_resource() would be setting the pointer 'instance'. In case of error, 'instance' would be set to NULL, and returns rte_errno. If rte_errno when 'instance' is set to NULL, it can lead to NULL pointer dereferencing. Fixes: 0961348fdf52 ("crypto/octeontx: add queue pair functions") Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com> --- drivers/crypto/octeontx/otx_cryptodev_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/octeontx/otx_cryptodev_ops.c b/drivers/crypto/octeontx/otx_cryptodev_ops.c index 23f9659..90d0c14 100644 --- a/drivers/crypto/octeontx/otx_cryptodev_ops.c +++ b/drivers/crypto/octeontx/otx_cryptodev_ops.c @@ -216,7 +216,7 @@ otx_cpt_que_pair_setup(struct rte_cryptodev *dev, } ret = otx_cpt_get_resource(cptvf, 0, &instance); - if (ret != 0) { + if (ret != 0 || instance == NULL) { CPT_LOG_ERR("Error getting instance handle from device %s : " "ret = %d", dev->data->name, ret); return ret; -- 2.7.4
Hi Anoob,
On 11/11/2018 8:54 PM, Anoob Joseph wrote:
> Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton")
>
> Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
> ---
> drivers/crypto/octeontx/otx_cryptodev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/crypto/octeontx/otx_cryptodev.c b/drivers/crypto/octeontx/otx_cryptodev.c
> index 269f045..b201e0a 100644
> --- a/drivers/crypto/octeontx/otx_cryptodev.c
> +++ b/drivers/crypto/octeontx/otx_cryptodev.c
> @@ -100,8 +100,8 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev)
> if (rte_eal_process_type() == RTE_PROC_PRIMARY)
> rte_free(cryptodev->data->dev_private);
>
> - cryptodev->device = NULL;
> cryptodev->device->driver = NULL;
> + cryptodev->device = NULL;
> cryptodev->data = NULL;
>
> /* free metapool memory */
Can we squash the entire series into a single patch or at least 2/3 and
3/3 should be merged.
You can have more than one fixes lines in a single patch.
-Akhil
Hi Akhil,
You can squash the entire series. Or should I send a revised patch? Either way is fine.
Anoob
> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: 12 November 2018 16:51
> To: Joseph, Anoob <Anoob.Joseph@cavium.com>; Pablo de Lara
> <pablo.de.lara.guarch@intel.com>
> Cc: Joseph, Anoob <Anoob.Joseph@cavium.com>; Jacob, Jerin
> <Jerin.JacobKollanukkaran@cavium.com>; Athreya, Narayana Prasad
> <NarayanaPrasad.Athreya@cavium.com>; Dwivedi, Ankur
> <Ankur.Dwivedi@cavium.com>; dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH 2/3] crypto/octeontx: fix null pointer
> dereferencing
>
> External Email
>
> Hi Anoob,
>
> On 11/11/2018 8:54 PM, Anoob Joseph wrote:
> > Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton")
> >
> > Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
> > ---
> > drivers/crypto/octeontx/otx_cryptodev.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/crypto/octeontx/otx_cryptodev.c
> b/drivers/crypto/octeontx/otx_cryptodev.c
> > index 269f045..b201e0a 100644
> > --- a/drivers/crypto/octeontx/otx_cryptodev.c
> > +++ b/drivers/crypto/octeontx/otx_cryptodev.c
> > @@ -100,8 +100,8 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev)
> > if (rte_eal_process_type() == RTE_PROC_PRIMARY)
> > rte_free(cryptodev->data->dev_private);
> >
> > - cryptodev->device = NULL;
> > cryptodev->device->driver = NULL;
> > + cryptodev->device = NULL;
> > cryptodev->data = NULL;
> >
> > /* free metapool memory */
> Can we squash the entire series into a single patch or at least 2/3 and
> 3/3 should be merged.
> You can have more than one fixes lines in a single patch.
>
> -Akhil
Hi Anoob,
On 11/12/2018 4:53 PM, Joseph, Anoob wrote:
> Hi Akhil,
>
> You can squash the entire series. Or should I send a revised patch? Either way is fine.
You can send a revised patch with coverity ID and appropriate patch
description for all the issues resolved here.
-Akhil
Coverity Issue: 323492 If the length of string pointed by 'name' is equal to or greater than the sizeof cptvf->dev_name string, the resultant string will not be null terminated. Using strlcpy would make sure the string would always be null terminated. Fixes: 0dc1cffa4d33 ("crypto/octeontx: add hardware init routine") Coverity Issue: 323489 Fix null pointer dereferencing Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton") Coverity Issue: 323486 The function otx_cpt_get_resource() would be setting the pointer 'instance'. In case of error, 'instance' would be set to NULL, and returns rte_errno. If rte_errno when 'instance' is set to NULL, it can lead to NULL pointer dereferencing. Fixes: 0961348fdf52 ("crypto/octeontx: add queue pair functions") Signed-off-by: Ankur Dwivedi <ankur.dwivedi@caviumnetworks.com> Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com> --- v2: * Squashed three commits to one drivers/crypto/octeontx/otx_cryptodev.c | 2 +- drivers/crypto/octeontx/otx_cryptodev_hw_access.c | 5 ++++- drivers/crypto/octeontx/otx_cryptodev_ops.c | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/crypto/octeontx/otx_cryptodev.c b/drivers/crypto/octeontx/otx_cryptodev.c index 269f045..b201e0a 100644 --- a/drivers/crypto/octeontx/otx_cryptodev.c +++ b/drivers/crypto/octeontx/otx_cryptodev.c @@ -100,8 +100,8 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev) if (rte_eal_process_type() == RTE_PROC_PRIMARY) rte_free(cryptodev->data->dev_private); - cryptodev->device = NULL; cryptodev->device->driver = NULL; + cryptodev->device = NULL; cryptodev->data = NULL; /* free metapool memory */ diff --git a/drivers/crypto/octeontx/otx_cryptodev_hw_access.c b/drivers/crypto/octeontx/otx_cryptodev_hw_access.c index 5e705a8..18f2e6b 100644 --- a/drivers/crypto/octeontx/otx_cryptodev_hw_access.c +++ b/drivers/crypto/octeontx/otx_cryptodev_hw_access.c @@ -9,6 +9,7 @@ #include <rte_common.h> #include <rte_errno.h> #include <rte_memzone.h> +#include <rte_string_fns.h> #include "otx_cryptodev_hw_access.h" #include "otx_cryptodev_mbox.h" @@ -366,7 +367,9 @@ otx_cpt_hw_init(struct cpt_vf *cptvf, void *pdev, void *reg_base, char *name) /* Bar0 base address */ cptvf->reg_base = reg_base; - strncpy(cptvf->dev_name, name, 32); + + /* Save device name */ + strlcpy(cptvf->dev_name, name, (sizeof(cptvf->dev_name))); cptvf->pdev = pdev; diff --git a/drivers/crypto/octeontx/otx_cryptodev_ops.c b/drivers/crypto/octeontx/otx_cryptodev_ops.c index 23f9659..90d0c14 100644 --- a/drivers/crypto/octeontx/otx_cryptodev_ops.c +++ b/drivers/crypto/octeontx/otx_cryptodev_ops.c @@ -216,7 +216,7 @@ otx_cpt_que_pair_setup(struct rte_cryptodev *dev, } ret = otx_cpt_get_resource(cptvf, 0, &instance); - if (ret != 0) { + if (ret != 0 || instance == NULL) { CPT_LOG_ERR("Error getting instance handle from device %s : " "ret = %d", dev->data->name, ret); return ret; -- 2.7.4
On 11/12/2018 11:44 PM, Anoob Joseph wrote:
> Coverity Issue: 323492
>
> If the length of string pointed by 'name' is equal to or greater than
> the sizeof cptvf->dev_name string, the resultant string will not be
> null terminated. Using strlcpy would make sure the string would always
> be null terminated.
>
> Fixes: 0dc1cffa4d33 ("crypto/octeontx: add hardware init routine")
>
> Coverity Issue: 323489
>
> Fix null pointer dereferencing
>
> Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton")
>
> Coverity Issue: 323486
>
> The function otx_cpt_get_resource() would be setting the pointer
> 'instance'. In case of error, 'instance' would be set to NULL, and
> returns rte_errno. If rte_errno when 'instance' is set to NULL, it can
> lead to NULL pointer dereferencing.
>
> Fixes: 0961348fdf52 ("crypto/octeontx: add queue pair functions")
>
> Signed-off-by: Ankur Dwivedi <ankur.dwivedi@caviumnetworks.com>
> Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
> ---
> v2:
> * Squashed three commits to one
>
Applied to dpdk-next-crypto
Thanks