From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id D8909457A1
	for <public@inbox.dpdk.org>; Mon, 12 Aug 2024 14:56:33 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id D194D402C3;
	Mon, 12 Aug 2024 14:56:33 +0200 (CEST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com
 (mail-dm6nam11on2056.outbound.protection.outlook.com [40.107.223.56])
 by mails.dpdk.org (Postfix) with ESMTP id AB25040669
 for <stable@dpdk.org>; Mon, 12 Aug 2024 14:56:31 +0200 (CEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=KkH3GCkIZWMSeUHHFkhIDSl2dsEPLSU2hu2MKowjUGP5RRpomtswX4Wacl1NU/tYFOiIbxPi4lNuuchIAGAmLt+paramYp0sBVHbPfdlO45now/BlGx3joMlPQW4BKDEBVFZLeINoFzDKhtkwb9xgBHcn+EXmcN7QLqzgiecHjTgLiwupvUu6GETlEKC7ebX11fcuNdEXhvySawyggldcd2asZO1Ch+dGoUZT/3eEeXGivM/LZC0bPEHQiHdYnqirN/QxcTeVmXt1vKNNBDh9Y5NIIWtmGQ73eCWFTQxO7G1u7M/AnuXg2Cc3H0aRYoR0nvKfpA2FPSMExGghUBv5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=ZD7VNKFCWNvNt94egaMegsD1MoQYg2EO9yAlwKnfZg4=;
 b=MAeelw1vpzHxGtgPyhUxIbk7RoAZebyCNK/r+Fjp3C8NIEcNESLbpNfYrqZkLoll/pLuGYSw9hdPGQTyZo6I9WPxP/6zjzCYQ1Vxvoa+EwAUUN4jt68Di4Ua+x5p2L/wjNFbQrR0Ndni7d0ODwmdLKZ/mxJ1kleUMW4JQuk+JfN5sAs+xV6xT6DOluAGc/k4FKJmdwvd85zM6TyuR4IhBt3qrX66a6IOqTJoMAW+zLjpN6zk2hhHi6wy2DEkKZzi3G4sgdDw+c+D0Eelqa+1dIq0gFnZba0PWoB9k1vK/IsxpRZa9/0f+XxaOixqaC8W2oc889FWjC1KB8ShNyC43Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.160) smtp.rcpttodomain=intel.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ZD7VNKFCWNvNt94egaMegsD1MoQYg2EO9yAlwKnfZg4=;
 b=NWXiTYGgdZPFSWJ7xKUuf9E9GuAEj/O3ICORjXJfOn2HdzjWdq8n3xzlr7cq3RhmY2ceRxeEX9xrw/COs+cDpEOKnkknFF5xKKH8I85eW09VLGZrIoTmRjboS+/oW8rxv9bDhzTz72FNpuS+5cp/qsbzz/h+fVoJmPsVj7TpGjaIy6pjxEA2ZmbObFYpoNqYbHLuGy4NyeQeq18KjrrXKB3IS14A4aq+eEkU7LSVbWwPdkzc4rTf42KJyWvuOzuhIiSveNGs2uui/7TeJI66S9oak3jS2tAqyK1N3NJkAxy78DL65JsEDgJWdUNWjHnrxu01b6lirGa3ABF7veti+w==
Received: from DM6PR14CA0054.namprd14.prod.outlook.com (2603:10b6:5:18f::31)
 by PH7PR12MB9150.namprd12.prod.outlook.com (2603:10b6:510:2eb::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.20; Mon, 12 Aug
 2024 12:56:28 +0000
Received: from DS1PEPF0001708F.namprd03.prod.outlook.com
 (2603:10b6:5:18f:cafe::48) by DM6PR14CA0054.outlook.office365.com
 (2603:10b6:5:18f::31) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33 via Frontend
 Transport; Mon, 12 Aug 2024 12:56:27 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.160 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.160) by
 DS1PEPF0001708F.mail.protection.outlook.com (10.167.17.139) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7828.19 via Frontend Transport; Mon, 12 Aug 2024 12:56:27 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
 (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Mon, 12 Aug
 2024 05:56:18 -0700
Received: from nvidia.com (10.126.231.35) by rnnvmail201.nvidia.com
 (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Mon, 12 Aug
 2024 05:56:16 -0700
From: Xueming Li <xuemingl@nvidia.com>
To: Paul Greenwalt <paul.greenwalt@intel.com>
CC: <xuemingl@nvidia.com>, Dan Nowlin <dan.nowlin@intel.com>, Ian Stokes
 <ian.stokes@intel.com>, Bruce Richardson <bruce.richardson@intel.com>, "dpdk
 stable" <stable@dpdk.org>
Subject: patch 'net/ice/base: fix potential TLV length overflow' has been
 queued to stable release 23.11.2
Date: Mon, 12 Aug 2024 20:48:56 +0800
Message-ID: <20240812125035.389667-60-xuemingl@nvidia.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240812125035.389667-1-xuemingl@nvidia.com>
References: <20240712110153.309690-23-xuemingl@nvidia.com>
 <20240812125035.389667-1-xuemingl@nvidia.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Originating-IP: [10.126.231.35]
X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To
 rnnvmail201.nvidia.com (10.129.68.8)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS1PEPF0001708F:EE_|PH7PR12MB9150:EE_
X-MS-Office365-Filtering-Correlation-Id: 0e7363db-b892-4b63-6432-08dcbace2de4
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
 ARA:13230040|376014|1800799024|82310400026|36860700013; 
X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?by97uFynsFNbZ9AdGlpeGcBse9LN8oyXSiUDj1NTV7n7HtNMJofIpI1qE8Ub?=
 =?us-ascii?Q?NTyvXxNxq99WL7/MlTcKNxo0CrA0nQ4vuF7Viy5V1TVAD29qPJT3O9wwLDd9?=
 =?us-ascii?Q?x22jhcp12+Vsavz+yU8Kgpjo7QwWdptqQQo1uEeyIqhLgaaFypmA0bZTIvPl?=
 =?us-ascii?Q?kOTyxDlYZMQltUB46x49ZOOIy45zqnvhZ8JbM7d4B9mkLtmIXmYA2J6eTK+f?=
 =?us-ascii?Q?hwuU9DmESzaJPItInlO5UrGdjLzFrs0vK05RXuq2+4qiuHG5S4i02snhtn2J?=
 =?us-ascii?Q?71oBcRZFFrqNFWCnJIQK49LbrSW+ACSasC0JjgM6vPGrom9I8uO/5/9hepV9?=
 =?us-ascii?Q?2oFrTYLHsiYXvIBuU6V3x6IDAKYsegTQ3s0rp3uhzTZPPmZ8Wm3Ov+0yNhYF?=
 =?us-ascii?Q?jw6QxQi8xaSgPOj6PjjKteKwvM2ddnx3kJgruPR3k2D+guJiAr8fGEqG9JO2?=
 =?us-ascii?Q?jo2xxeGxZ9SarD19/6Kl6m/0zaxa/HYKvM82IHKn+IcKOUnntnNFji3iAk9X?=
 =?us-ascii?Q?VWtaAxvJvfzJAlq17gv/OyGcOvC+RbIJZGC9MZN//ffseFTlOAcAK9Ju0J73?=
 =?us-ascii?Q?GniuuiGHUFNjfo0nS/1tbLrAI+9O6ozipASdZaz7CO/KV8vgQ5pFNb5IzZ/l?=
 =?us-ascii?Q?WwX2wj/oAKWBwxusvfATbwTAytzmYcj6eYqvaZ11tVWbHHdDfa5wsGMgyEl+?=
 =?us-ascii?Q?0us4gRFVDbEm0wuBTH65K4KD5hurrf63xjR3BQFK2tYajA8sV4aUnRYQgFgc?=
 =?us-ascii?Q?Ug9mBmspFGgqygvgjRAtb6dOya0AVeN2H9g9Gn91wAGsUc8wtUg0Gb5CnvvS?=
 =?us-ascii?Q?AfNyNq+8YGnFdncxS3kvdaBccXfsL8pSb5a7yPKobiM4vbqhU6E0dtDjjp2h?=
 =?us-ascii?Q?gbbYc5BgqQbHrC1X5Rk6G8MTHjcrigQuDgz6KGGOjaP58BUJR95Z7thFBLGF?=
 =?us-ascii?Q?2hh40gq5k1/Yo4g6zb7GYMQzER8nLLWtwjjQCtaYM0v9Je0t6OIAwQxzWzwP?=
 =?us-ascii?Q?m0YwTlHEvsO1TdhQjq2aB5e036xo/DVsZW9CcA5qklyVOys5XuXocJSYwG01?=
 =?us-ascii?Q?okd9Itdi2gREBH8aJQKwKZh82wGStiuc5mprvY9rhkQcMnd8IvJKwxBXFsfu?=
 =?us-ascii?Q?wqcR8xJ+HC3Wt3kXKDNntgwIIReeMO8UH4fX6D9TDCRg5mWGEIIVqQGbIUd0?=
 =?us-ascii?Q?iBJQjF4FOkSYHIPP6kSjFLK7PQFjI3xy7szS9gDP7senVBNsUgR0zk00K8lf?=
 =?us-ascii?Q?TvqQdGqiHYh6dB8DlA5lqGt+OUKI9QpR7oPlqtlkMAuIdjjX9wljVbWpWswx?=
 =?us-ascii?Q?qW/QgdYul5DywoApOUuzLjDv69MTc5+voTxIyUQ8sSBHJCnzr/5FPtRBnodK?=
 =?us-ascii?Q?/3Y3MQblu9CBMTmY1hlXfJJhatqvgFndAgwjk0r9G+yQkYgSEyq0VvomJIDR?=
 =?us-ascii?Q?A7qsI5owea7kolsJnzp8y0jAbBI1E5dv?=
X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE;
 SFS:(13230040)(376014)(1800799024)(82310400026)(36860700013); DIR:OUT;
 SFP:1101; 
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2024 12:56:27.4645 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e7363db-b892-4b63-6432-08dcbace2de4
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0001708F.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB9150
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

Hi,

FYI, your patch has been queued to stable release 23.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/14/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=5167b4d2d3921f86591da1798acba43a902514d6

Thanks.

Xueming Li <xuemingl@nvidia.com>

---
>From 5167b4d2d3921f86591da1798acba43a902514d6 Mon Sep 17 00:00:00 2001
From: Paul Greenwalt <paul.greenwalt@intel.com>
Date: Wed, 26 Jun 2024 12:41:33 +0100
Subject: [PATCH] net/ice/base: fix potential TLV length overflow
Cc: Xueming Li <xuemingl@nvidia.com>

[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ]

It's possible that an NVM with an invalid tlv_len could cause an integer
overflow of next_tlv which can result an infinite loop.

Fix this issue by changing next_tlv from u16 to u32 to prevent overflow.
Also check that tlv_len is valid and less than pfa_len.

Fix an issue with conversion from 'u32' to 'u16', possible loss
of data compile errors by making appropriate casts.

Fixes: 77a649999047 ("net/ice/base: move functions from common to NVM module")

Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Signed-off-by: Dan Nowlin <dan.nowlin@intel.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
---
 drivers/net/ice/base/ice_nvm.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c
index c112d3a27e..30e603127e 100644
--- a/drivers/net/ice/base/ice_nvm.c
+++ b/drivers/net/ice/base/ice_nvm.c
@@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 {
 	enum ice_status status;
 	u16 pfa_len, pfa_ptr;
-	u16 next_tlv;
+	u32 next_tlv;
 
 	status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr);
 	if (status != ICE_SUCCESS) {
@@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 	 * of TLVs to find the requested one.
 	 */
 	next_tlv = pfa_ptr + 1;
-	while (next_tlv < pfa_ptr + pfa_len) {
+	while (next_tlv < ((u32)pfa_ptr + pfa_len)) {
 		u16 tlv_sub_module_type;
 		u16 tlv_len;
 
 		/* Read TLV type */
-		status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type);
-		if (status != ICE_SUCCESS) {
+		status = ice_read_sr_word(hw, (u16)next_tlv,
+					  &tlv_sub_module_type);
+		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n");
 			break;
 		}
 		/* Read TLV length */
-		status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len);
+		status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len);
 		if (status != ICE_SUCCESS) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n");
 			break;
 		}
+		if (tlv_len > pfa_len) {
+			ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n");
+			return ICE_ERR_INVAL_SIZE;
+		}
 		if (tlv_sub_module_type == module_type) {
 			if (tlv_len) {
-				*module_tlv = next_tlv;
+				*module_tlv = (u16)next_tlv;
 				*module_tlv_len = tlv_len;
 				return ICE_SUCCESS;
 			}
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-08-12 20:44:04.540225538 +0800
+++ 0059-net-ice-base-fix-potential-TLV-length-overflow.patch	2024-08-12 20:44:02.125069300 +0800
@@ -1 +1 @@
-From 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 Mon Sep 17 00:00:00 2001
+From 5167b4d2d3921f86591da1798acba43a902514d6 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl@nvidia.com>
+
+[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ]
@@ -16 +18,0 @@
-Cc: stable@dpdk.org
@@ -23,2 +25,2 @@
- drivers/net/ice/base/ice_nvm.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
+ drivers/net/ice/base/ice_nvm.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
@@ -27 +29 @@
-index 79b66fa70f..811bbc9bbc 100644
+index c112d3a27e..30e603127e 100644
@@ -30,2 +32 @@
-@@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
- 		       u16 module_type)
+@@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
@@ -32,0 +34 @@
+ 	enum ice_status status;
@@ -36 +37,0 @@
- 	int status;
@@ -39 +40,2 @@
-@@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
+ 	if (status != ICE_SUCCESS) {
+@@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
@@ -49,0 +52 @@
+-		if (status != ICE_SUCCESS) {
@@ -52 +55 @@
- 		if (status) {
++		if (status) {
@@ -59 +62 @@
- 		if (status) {
+ 		if (status != ICE_SUCCESS) {
@@ -72 +75 @@
- 				return 0;
+ 				return ICE_SUCCESS;