From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3143D455AD for ; Mon, 15 Jul 2024 17:29:54 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2C06440DCE; Mon, 15 Jul 2024 17:29:54 +0200 (CEST) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mails.dpdk.org (Postfix) with ESMTP id D579540DCE for ; Mon, 15 Jul 2024 17:29:52 +0200 (CEST) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-367a081d1cdso2415288f8f.1 for ; Mon, 15 Jul 2024 08:29:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721057392; x=1721662192; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6fKpsCL6K+gCpAbrIJ0IZcXzqca2bnEkUFersUCort4=; b=e1k8sAnEgTGAADV2NLxAnckmMnSXFaiLPDtsz7eO5RLz3kOXOTdVxNE0zWVM96FyRk JpWuarUAhekgsv8cZrZZw1r/JaFMEuTmyoEikwCCwObvmPHvTqD6f2gzWuBRyzugz9Ab FdWpCPJktGA0aHSFsAoWXqu05BNSBcVghgu4srqjji+Te4NHs1DRiMxM1o96wKp5DFKN PmgpOWwrvnAzVvwj0ZLOP9hX0oRsNmGKlXUnOI3LNNA8CC/PzNlGbvaYUo498cDAoHHV XszbdWyjAOhUDIlUBrD+h4n9Tl1HwfnixF1Xgo/1QyM1QqVlZr+tyIJLx4MG1U9IknYV SaIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721057392; x=1721662192; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6fKpsCL6K+gCpAbrIJ0IZcXzqca2bnEkUFersUCort4=; b=YPBLsFcdKGYKTsx3SYCGAJKw8NYJ8sf0t2Fe8JjUq6Pj2ptbKlzk8r1yK5rGN6jNw1 Pkc52t24K4vEAfrTMWXZ3c9GuNX/ipgtRxDW0PvJjN12fRZHNeleHatFFtsRx+g9uYNY 534YkSeHBdBfHH0PtiO4AL4j8ucBO5WVo8xfS9VDDb6onVEbUkCHSqqMIrhsEJhK5Hzq eLLqJdCXrbChHFJMH+vLYyxndx8/lM7v/9eF6EHOhEbSICqWl68e6GSSqEXObpkwyuFl S5vXKNWhwqHaPYpgWKqWjbxsdU9niKe4b78kHGLLRBTuTaDKP10pfq80TWABksR0ylap 0pCg== X-Forwarded-Encrypted: i=1; AJvYcCV0kUb3wSgoHtQo8t2+dXuApRm7ghNNSTrO6atF/YlBni5M3bSkLT5wGaontKIwW06Y2N04RsB/J3C/gsib2pg= X-Gm-Message-State: AOJu0Yxx0Ir+4nIB6SFU3DPP04oGEfUewyChcNzSj/aMCt/D/z/Jn4CV pyUeMMB/BtE2+KDEjilBwtccPQxAUt2VIwFh1vA66cuZy57geSia X-Google-Smtp-Source: AGHT+IGnbeoWDJTBPCWZ915wyIm2lBGmfQdm4LYpu9TyLU8xJ7qwbdpveAM9G3cuCApixAYMTU24/A== X-Received: by 2002:adf:fd05:0:b0:366:ec2f:dbc9 with SMTP id ffacd0b85a97d-368240d0327mr34353f8f.51.1721057392483; Mon, 15 Jul 2024 08:29:52 -0700 (PDT) Received: from localhost ([2a01:4b00:d036:ae00:7aef:1aaa:3dff:d546]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3680dabefa6sm6690007f8f.44.2024.07.15.08.29.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Jul 2024 08:29:52 -0700 (PDT) From: luca.boccassi@gmail.com To: Paul Greenwalt Cc: Dan Nowlin , Ian Stokes , Bruce Richardson , dpdk stable Subject: patch 'net/ice/base: fix potential TLV length overflow' has been queued to stable release 22.11.6 Date: Mon, 15 Jul 2024 16:26:29 +0100 Message-Id: <20240715152704.2229503-51-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240715152704.2229503-1-luca.boccassi@gmail.com> References: <20240624235907.885628-81-luca.boccassi@gmail.com> <20240715152704.2229503-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 22.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 07/17/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/ecb6c3285e65e5714c2febb650b21f00f8dbc9af Thanks. Luca Boccassi --- >From ecb6c3285e65e5714c2febb650b21f00f8dbc9af Mon Sep 17 00:00:00 2001 From: Paul Greenwalt Date: Wed, 26 Jun 2024 12:41:33 +0100 Subject: [PATCH] net/ice/base: fix potential TLV length overflow [ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ] It's possible that an NVM with an invalid tlv_len could cause an integer overflow of next_tlv which can result an infinite loop. Fix this issue by changing next_tlv from u16 to u32 to prevent overflow. Also check that tlv_len is valid and less than pfa_len. Fix an issue with conversion from 'u32' to 'u16', possible loss of data compile errors by making appropriate casts. Fixes: 77a649999047 ("net/ice/base: move functions from common to NVM module") Signed-off-by: Paul Greenwalt Signed-off-by: Dan Nowlin Signed-off-by: Ian Stokes Acked-by: Bruce Richardson --- drivers/net/ice/base/ice_nvm.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 6550dda557..bc1a74460c 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, { enum ice_status status; u16 pfa_len, pfa_ptr; - u16 next_tlv; + u32 next_tlv; status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); if (status != ICE_SUCCESS) { @@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, * of TLVs to find the requested one. */ next_tlv = pfa_ptr + 1; - while (next_tlv < pfa_ptr + pfa_len) { + while (next_tlv < ((u32)pfa_ptr + pfa_len)) { u16 tlv_sub_module_type; u16 tlv_len; /* Read TLV type */ - status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type); + status = ice_read_sr_word(hw, (u16)next_tlv, + &tlv_sub_module_type); if (status != ICE_SUCCESS) { ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n"); break; } /* Read TLV length */ - status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len); + status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len); if (status != ICE_SUCCESS) { ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n"); break; } + if (tlv_len > pfa_len) { + ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n"); + return ICE_ERR_INVAL_SIZE; + } if (tlv_sub_module_type == module_type) { if (tlv_len) { - *module_tlv = next_tlv; + *module_tlv = (u16)next_tlv; *module_tlv_len = tlv_len; return ICE_SUCCESS; } -- 2.39.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-07-15 16:19:37.212962316 +0100 +++ 0051-net-ice-base-fix-potential-TLV-length-overflow.patch 2024-07-15 16:19:34.612207403 +0100 @@ -1 +1 @@ -From 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 Mon Sep 17 00:00:00 2001 +From ecb6c3285e65e5714c2febb650b21f00f8dbc9af Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ] + @@ -16 +17,0 @@ -Cc: stable@dpdk.org @@ -27 +28 @@ -index 79b66fa70f..811bbc9bbc 100644 +index 6550dda557..bc1a74460c 100644 @@ -30,2 +31 @@ -@@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, - u16 module_type) +@@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, @@ -32,0 +33 @@ + enum ice_status status; @@ -36 +36,0 @@ - int status; @@ -39 +39,2 @@ -@@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, + if (status != ICE_SUCCESS) { +@@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, @@ -52 +53 @@ - if (status) { + if (status != ICE_SUCCESS) { @@ -59 +60 @@ - if (status) { + if (status != ICE_SUCCESS) { @@ -72 +73 @@ - return 0; + return ICE_SUCCESS;