From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 5205E45500;
	Wed, 26 Jun 2024 14:00:02 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 55B09433E3;
	Wed, 26 Jun 2024 13:55:53 +0200 (CEST)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.9])
 by mails.dpdk.org (Postfix) with ESMTP id 01A7942E95
 for <dev@dpdk.org>; Wed, 26 Jun 2024 13:44:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1719402256; x=1750938256;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=RU1ecA7tdvGTPpOv9JGpnLuyhcgnyWj1qBRlv6sqCaw=;
 b=DVS+wPje5zcVc5U1s5I96x6yYjPiDSNMLXK3CM6AvX9sg9wCGeVyP0Bl
 N363DhAHzA7yY4Cc2ziDJ5l0zKUPjQO/y7tY/OZpjE0g7Sw0KTKdOxV91
 SyC82Y8HJuLKTt8OPZnS31c7S02YK3rsd4Uksbs6jYgJQoKOXJNMRddJj
 xNPhU3cRKQIBJhepoc/lP5o6q8H+MsAg41xMsgfhMq7qPBFoetiE6AxpV
 64FgBJqD3B/JDpjIMq0iBHXM3g5g6OOj69+HqMN/EFUEmxgrFIjnKa/l1
 3fOrj3BVY77Lv/HmYntJoShuKpbrf4Ccn38CZhgLljsubrcsOoQI1P8BN w==;
X-CSE-ConnectionGUID: iHPHj+ZrTkGKvXQZKCNpTg==
X-CSE-MsgGUID: 9QZNRzAjTVif5sxrh+wn7Q==
X-IronPort-AV: E=McAfee;i="6700,10204,11114"; a="38979419"
X-IronPort-AV: E=Sophos;i="6.08,266,1712646000"; d="scan'208";a="38979419"
Received: from orviesa010.jf.intel.com ([10.64.159.150])
 by orvoesa101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 26 Jun 2024 04:44:15 -0700
X-CSE-ConnectionGUID: +NJ79s4XR26fH5fiGYjSZA==
X-CSE-MsgGUID: 7FHWQ1PfRdSN5qE7AQR1aQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.08,266,1712646000"; d="scan'208";a="43873920"
Received: from unknown (HELO silpixa00401119.ir.intel.com) ([10.55.129.167])
 by orviesa010.jf.intel.com with ESMTP; 26 Jun 2024 04:44:15 -0700
From: Anatoly Burakov <anatoly.burakov@intel.com>
To: dev@dpdk.org
Cc: Paul Greenwalt <paul.greenwalt@intel.com>, ian.stokes@intel.com,
 bruce.richardson@intel.com
Subject: [PATCH v4 045/103] net/ice/base: fix potential TLV length overflow
Date: Wed, 26 Jun 2024 12:41:33 +0100
Message-ID: <1e17609676a60249bcd31735881e8f35d00d2d8e.1719401848.git.anatoly.burakov@intel.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1719401847.git.anatoly.burakov@intel.com>
References: <cover.1719313663.git.anatoly.burakov@intel.com>
 <cover.1719401847.git.anatoly.burakov@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

From: Paul Greenwalt <paul.greenwalt@intel.com>

It's possible that an NVM with an invalid tlv_len could cause an integer
overflow of next_tlv which can result an infinite loop.

Fix this issue by changing next_tlv from u16 to u32 to prevent overflow.
Also check that tlv_len is valid and less than pfa_len.

Fix an issue with conversion from 'u32' to 'u16', possible loss
of data compile errors by making appropriate casts.

Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Signed-off-by: Dan Nowlin <dan.nowlin@intel.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
---
 drivers/net/ice/base/ice_nvm.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c
index 79b66fa70f..811bbc9bbc 100644
--- a/drivers/net/ice/base/ice_nvm.c
+++ b/drivers/net/ice/base/ice_nvm.c
@@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 		       u16 module_type)
 {
 	u16 pfa_len, pfa_ptr;
-	u16 next_tlv;
+	u32 next_tlv;
 	int status;
 
 	status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr);
@@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 	 * of TLVs to find the requested one.
 	 */
 	next_tlv = pfa_ptr + 1;
-	while (next_tlv < pfa_ptr + pfa_len) {
+	while (next_tlv < ((u32)pfa_ptr + pfa_len)) {
 		u16 tlv_sub_module_type;
 		u16 tlv_len;
 
 		/* Read TLV type */
-		status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type);
+		status = ice_read_sr_word(hw, (u16)next_tlv,
+					  &tlv_sub_module_type);
 		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n");
 			break;
 		}
 		/* Read TLV length */
-		status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len);
+		status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len);
 		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n");
 			break;
 		}
+		if (tlv_len > pfa_len) {
+			ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n");
+			return ICE_ERR_INVAL_SIZE;
+		}
 		if (tlv_sub_module_type == module_type) {
 			if (tlv_len) {
-				*module_tlv = next_tlv;
+				*module_tlv = (u16)next_tlv;
 				*module_tlv_len = tlv_len;
 				return 0;
 			}
-- 
2.43.0