From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 4D0DF454EF;
	Tue, 25 Jun 2024 13:23:13 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 522C242F81;
	Tue, 25 Jun 2024 13:18:11 +0200 (CEST)
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19])
 by mails.dpdk.org (Postfix) with ESMTP id 6A1B942DA3
 for <dev@dpdk.org>; Tue, 25 Jun 2024 13:16:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1719314215; x=1750850215;
 h=from:to:cc:subject:date:message-id:in-reply-to:
 references:mime-version:content-transfer-encoding;
 bh=RU1ecA7tdvGTPpOv9JGpnLuyhcgnyWj1qBRlv6sqCaw=;
 b=NwxHmTTf+4iao5EkpDdgtNL/bYn1pRwh4jsWJO/JvyMZYZx3L9HzNkxZ
 eh4sVymILWDe+OY8v8qk9BPFp9YztJhKpHiIB+tkNHTLcBcf/oWOBtLCX
 OOXHp6yr1wQHRZ9UrAh/fO3AjGx8KCdG1/C4FnzBVR0IKyfXN2/pmKyic
 bxnf6DPud+6nXjiTKLK7mcfcylXS220z2ZzdsuMXNXJA/uqxjUk6MYiP5
 e4v6k7pzBrLaY9i23qRZp3yosGtr5VGshFBundG1fWhqDKAsqdjs1UYLx
 nUBIsaUuWME9K05/EHZmqIRnqW/zPMaqBpSKampcFZ35mzkjy5Y8plDuB Q==;
X-CSE-ConnectionGUID: 2Q4rMGX/RxKZ4IUTLYEoPw==
X-CSE-MsgGUID: dEEDXulrSW28lNTsG2j8kg==
X-IronPort-AV: E=McAfee;i="6700,10204,11113"; a="16080296"
X-IronPort-AV: E=Sophos;i="6.08,263,1712646000"; d="scan'208";a="16080296"
Received: from orviesa009.jf.intel.com ([10.64.159.149])
 by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 25 Jun 2024 04:16:45 -0700
X-CSE-ConnectionGUID: 4rHUAruOTxuNi/HL7DWnoA==
X-CSE-MsgGUID: yML8pQ9dSceOCpo5AanaCA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.08,263,1712646000"; d="scan'208";a="43719359"
Received: from unknown (HELO silpixa00401119.ir.intel.com) ([10.55.129.167])
 by orviesa009.jf.intel.com with ESMTP; 25 Jun 2024 04:16:44 -0700
From: Anatoly Burakov <anatoly.burakov@intel.com>
To: dev@dpdk.org
Cc: Paul Greenwalt <paul.greenwalt@intel.com>, bruce.richardson@intel.com,
 ian.stokes@intel.com, Dan Nowlin <dan.nowlin@intel.com>
Subject: [PATCH v3 065/129] net/ice/base: fix potential TLV length overflow
Date: Tue, 25 Jun 2024 12:13:10 +0100
Message-ID: <e7ff207856f78e4cf0ac04e6ba5e0f39c4de7b8e.1719313663.git.anatoly.burakov@intel.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1719313663.git.anatoly.burakov@intel.com>
References: <cover.1718204528.git.anatoly.burakov@intel.com>
 <cover.1719313663.git.anatoly.burakov@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

From: Paul Greenwalt <paul.greenwalt@intel.com>

It's possible that an NVM with an invalid tlv_len could cause an integer
overflow of next_tlv which can result an infinite loop.

Fix this issue by changing next_tlv from u16 to u32 to prevent overflow.
Also check that tlv_len is valid and less than pfa_len.

Fix an issue with conversion from 'u32' to 'u16', possible loss
of data compile errors by making appropriate casts.

Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Signed-off-by: Dan Nowlin <dan.nowlin@intel.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
---
 drivers/net/ice/base/ice_nvm.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c
index 79b66fa70f..811bbc9bbc 100644
--- a/drivers/net/ice/base/ice_nvm.c
+++ b/drivers/net/ice/base/ice_nvm.c
@@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 		       u16 module_type)
 {
 	u16 pfa_len, pfa_ptr;
-	u16 next_tlv;
+	u32 next_tlv;
 	int status;
 
 	status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr);
@@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 	 * of TLVs to find the requested one.
 	 */
 	next_tlv = pfa_ptr + 1;
-	while (next_tlv < pfa_ptr + pfa_len) {
+	while (next_tlv < ((u32)pfa_ptr + pfa_len)) {
 		u16 tlv_sub_module_type;
 		u16 tlv_len;
 
 		/* Read TLV type */
-		status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type);
+		status = ice_read_sr_word(hw, (u16)next_tlv,
+					  &tlv_sub_module_type);
 		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n");
 			break;
 		}
 		/* Read TLV length */
-		status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len);
+		status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len);
 		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n");
 			break;
 		}
+		if (tlv_len > pfa_len) {
+			ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n");
+			return ICE_ERR_INVAL_SIZE;
+		}
 		if (tlv_sub_module_type == module_type) {
 			if (tlv_len) {
-				*module_tlv = next_tlv;
+				*module_tlv = (u16)next_tlv;
 				*module_tlv_len = tlv_len;
 				return 0;
 			}
-- 
2.43.0