* [DPDK/ethdev Bug 1801] ixgbe VF: buffer overrun risk in ixgbevf_get_pf_link_state() — msgbuf sized 3 dwords but size passed as 6
@ 2025-10-11 8:07 bugzilla
0 siblings, 0 replies; only message in thread
From: bugzilla @ 2025-10-11 8:07 UTC (permalink / raw)
To: dev
http://bugs.dpdk.org/show_bug.cgi?id=1801
Bug ID: 1801
Summary: ixgbe VF: buffer overrun risk in
ixgbevf_get_pf_link_state() — msgbuf sized 3 dwords
but size passed as 6
Product: DPDK
Version: 24.11
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: ethdev
Assignee: dev@dpdk.org
Reporter: fenghua.lyn@gmail.com
Target Milestone: ---
Component: ixgbe VF mailbox (file: /drivers/net/intel/ixgbe/base/ixgbe_vf.c)
Function: ixgbevf_get_pf_link_state
Issue: The function allocates a 3-DWORD buffer msgbuf[3] but calls the mailbox
helper with a size of 6:
ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 6);
In this API, the size argument is the number of DWORDs (u32), not bytes.
Passing 6 causes the mailbox code to read/write beyond the 3-element buffer,
which is a buffer overrun.
Symptoms/Impact:
Potential stack/adjacent memory corruption.
Spurious link speed/state results.
Intermittent crashes or undefined behavior, especially under mailbox activity.
Root Cause:
Size/count mismatch: the mailbox APIs in this codebase consistently use “number
of u32 words” as the size unit (e.g., elsewhere we pass 2, 3, 5). This one call
site incorrectly passes 6 while the buffer is only 3 u32.
Fix:
Pass the correct DWORD count for the buffer, i.e., change 6 to 3.
Prefer a future-proof pattern using ARRAY_SIZE(msgbuf) to avoid similar
mistakes.
Corrected code snippet:
err = ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 3);
// or
err = ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, ARRAY_SIZE(msgbuf));
Risk Assessment:
Low risk; this change aligns with the mailbox interface semantics used
throughout the file.
Reduces risk of memory corruption and improves stability when retrieving PF
link state.
How to Reproduce:
Build with stack protection and run a VF that frequently queries PF link state.
Observe potential stack canary trips or sanitizer complaints around
ixgbevf_get_pf_link_state.
Alternatively, instrument ixgbevf_write_msg_read_ack to assert the size does
not exceed the buffer’s capacity.
Affected Versions:
Any version containing this exact implementation of ixgbevf_get_pf_link_state
where msgbuf is 3 u32 elements and the call passes size 6.
Additional Notes:
Other call sites in this file consistently use correct sizes (e.g., 2, 3, 5).
This appears to be a one-off typo.
Status: I reviewed the provided file content and pinpointed the size/count
mismatch in ixgbevf_get_pf_link_state. If you want, I can submit a minimal
patch changing 6 to 3 or to ARRAY_SIZE(msgbuf).
Proposed change in ixgbevf_get_pf_link_state:
Replace ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 6); with
ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 3);
Impact:
Prevents out-of-bounds mailbox read/write on the VF stack buffer.
Aligns with mailbox usage elsewhere, improving correctness and stability.
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-10-11 8:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-11 8:07 [DPDK/ethdev Bug 1801] ixgbe VF: buffer overrun risk in ixgbevf_get_pf_link_state() — msgbuf sized 3 dwords but size passed as 6 bugzilla
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).