From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 22A054404F;
	Wed, 12 Jun 2024 17:17:25 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id DF2F842EE0;
	Wed, 12 Jun 2024 17:05:42 +0200 (CEST)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10])
 by mails.dpdk.org (Postfix) with ESMTP id 31B7242EC1
 for <dev@dpdk.org>; Wed, 12 Jun 2024 17:05:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1718204734; x=1749740734;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=hfaqz2gMpr3r8oA/PFR5Of+wWvRnJN8yOEjas91gIJg=;
 b=nUKxMTy45SS2ijVs+wJVKhNTYB2eQ3NHZXEpWb+rqHQg/MbM27dLf1i+
 G19irge8wVhKp16BegMfsiLasXBOjq9fBo/AeyF3//lL1HMyuZlYTduzy
 pNEVB/yAWxHD2aCQksPOMWqf8dpACWSyQNO66Uw3xKb6eybhkzRR9jaN7
 G7pioASNe6TDA13vbafYNIBo2PNM1I6QDrzm2nXWS9qt6Fn5IILt2rvTD
 iaqYUQ6tlsvJJ/Xe/d0mIaGIuOrwKW4/a+CKVwaUZhXHGFTHsvmdIelj7
 LlWBqwRL23c32Z05qtlR1YcBhAFCeLtrmMAsCe7s2mCAodUlNXuPtYhnR w==;
X-CSE-ConnectionGUID: NFy4qAHiRPW+7+mNWqzR9A==
X-CSE-MsgGUID: UOGPmwecTMagOQ32SV/bbw==
X-IronPort-AV: E=McAfee;i="6700,10204,11101"; a="32459711"
X-IronPort-AV: E=Sophos;i="6.08,233,1712646000"; d="scan'208";a="32459711"
Received: from orviesa009.jf.intel.com ([10.64.159.149])
 by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 12 Jun 2024 08:05:34 -0700
X-CSE-ConnectionGUID: l5lne9UfQamqzw1dBveSZQ==
X-CSE-MsgGUID: Ydrq1zZSQEmJtawWIVn9sg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.08,233,1712646000"; d="scan'208";a="39925584"
Received: from silpixa00401119.ir.intel.com ([10.55.129.167])
 by orviesa009.jf.intel.com with ESMTP; 12 Jun 2024 08:05:33 -0700
From: Anatoly Burakov <anatoly.burakov@intel.com>
To: dev@dpdk.org
Cc: Ian Stokes <ian.stokes@intel.com>, bruce.richardson@intel.com,
 Paul Greenwalt <paul.greenwalt@intel.com>,
 Dan Nowlin <dan.nowlin@intel.com>
Subject: [PATCH v2 083/148] net/ice/base: fix potential TLV length overflow
Date: Wed, 12 Jun 2024 16:01:17 +0100
Message-ID: <8d759a88a58f9f7aa36cf0ec74fbe16f65e529b0.1718204529.git.anatoly.burakov@intel.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1718204528.git.anatoly.burakov@intel.com>
References: <20240430154014.1026-1-ian.stokes@intel.com>
 <cover.1718204528.git.anatoly.burakov@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

From: Ian Stokes <ian.stokes@intel.com>

It's possible that an NVM with an invalid tlv_len could cause an integer
overflow of next_tlv which can result an infinite loop.

Fix this issue by changing next_tlv from u16 to u32 to prevent overflow.
Also check that tlv_len is valid and less than pfa_len.

Fix an issue with conversion from 'u32' to 'u16', possible loss
of data compile errors by making appropriate casts.

Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Signed-off-by: Dan Nowlin <dan.nowlin@intel.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
---
 drivers/net/ice/base/ice_nvm.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c
index 79b66fa70f..811bbc9bbc 100644
--- a/drivers/net/ice/base/ice_nvm.c
+++ b/drivers/net/ice/base/ice_nvm.c
@@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 		       u16 module_type)
 {
 	u16 pfa_len, pfa_ptr;
-	u16 next_tlv;
+	u32 next_tlv;
 	int status;
 
 	status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr);
@@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 	 * of TLVs to find the requested one.
 	 */
 	next_tlv = pfa_ptr + 1;
-	while (next_tlv < pfa_ptr + pfa_len) {
+	while (next_tlv < ((u32)pfa_ptr + pfa_len)) {
 		u16 tlv_sub_module_type;
 		u16 tlv_len;
 
 		/* Read TLV type */
-		status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type);
+		status = ice_read_sr_word(hw, (u16)next_tlv,
+					  &tlv_sub_module_type);
 		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n");
 			break;
 		}
 		/* Read TLV length */
-		status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len);
+		status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len);
 		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n");
 			break;
 		}
+		if (tlv_len > pfa_len) {
+			ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n");
+			return ICE_ERR_INVAL_SIZE;
+		}
 		if (tlv_sub_module_type == module_type) {
 			if (tlv_len) {
-				*module_tlv = next_tlv;
+				*module_tlv = (u16)next_tlv;
 				*module_tlv_len = tlv_len;
 				return 0;
 			}
-- 
2.43.0