From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DA04545804 for ; Fri, 23 Aug 2024 18:22:54 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D46944336F; Fri, 23 Aug 2024 18:22:54 +0200 (CEST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mails.dpdk.org (Postfix) with ESMTP id B70F9402BE for ; Fri, 23 Aug 2024 18:22:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1724430173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TXSHqQjWjWar8Faynlv6b593DAxprd+T0nywRl0oHxM=; b=dqEs8g0V0yPNSvQYUx7t384qs17FGGRALXkpo87GBu5J/VTr3S/1hHH6TAmpaB94FxT+ZM c8sWKF1GScjSpE1el9XzDhganplsnIucwSW2JCzZz+m2h4lUQ8xk/ssYIKzpBCKIAouVXz jBY7TiEAdJwiG5BHoyDx3uPQfu4jmbA= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-306-L5PyuF9GMMCHQRUM966JVg-1; Fri, 23 Aug 2024 12:22:50 -0400 X-MC-Unique: L5PyuF9GMMCHQRUM966JVg-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CFE4419560B0; Fri, 23 Aug 2024 16:22:48 +0000 (UTC) Received: from rh.redhat.com (unknown [10.39.193.224]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id A83161956053; Fri, 23 Aug 2024 16:22:46 +0000 (UTC) From: Kevin Traynor To: Paul Greenwalt Cc: Dan Nowlin , Ian Stokes , Bruce Richardson , dpdk stable Subject: patch 'net/ice/base: fix potential TLV length overflow' has been queued to stable release 21.11.8 Date: Fri, 23 Aug 2024 17:18:37 +0100 Message-ID: <20240823161929.1004778-89-ktraynor@redhat.com> In-Reply-To: <20240823161929.1004778-1-ktraynor@redhat.com> References: <20240823161929.1004778-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 21.11.8 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 08/28/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/c91760c3104a63a1eef5231860679be0c10ea145 Thanks. Kevin --- >From c91760c3104a63a1eef5231860679be0c10ea145 Mon Sep 17 00:00:00 2001 From: Paul Greenwalt Date: Wed, 26 Jun 2024 12:41:33 +0100 Subject: [PATCH] net/ice/base: fix potential TLV length overflow [ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ] It's possible that an NVM with an invalid tlv_len could cause an integer overflow of next_tlv which can result an infinite loop. Fix this issue by changing next_tlv from u16 to u32 to prevent overflow. Also check that tlv_len is valid and less than pfa_len. Fix an issue with conversion from 'u32' to 'u16', possible loss of data compile errors by making appropriate casts. Fixes: 77a649999047 ("net/ice/base: move functions from common to NVM module") Signed-off-by: Paul Greenwalt Signed-off-by: Dan Nowlin Signed-off-by: Ian Stokes Acked-by: Bruce Richardson --- drivers/net/ice/base/ice_nvm.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 7860006206..25f32d03e0 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -430,5 +430,5 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, enum ice_status status; u16 pfa_len, pfa_ptr; - u16 next_tlv; + u32 next_tlv; status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); @@ -446,10 +446,11 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, */ next_tlv = pfa_ptr + 1; - while (next_tlv < pfa_ptr + pfa_len) { + while (next_tlv < ((u32)pfa_ptr + pfa_len)) { u16 tlv_sub_module_type; u16 tlv_len; /* Read TLV type */ - status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type); + status = ice_read_sr_word(hw, (u16)next_tlv, + &tlv_sub_module_type); if (status != ICE_SUCCESS) { ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n"); @@ -457,12 +458,16 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, } /* Read TLV length */ - status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len); + status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len); if (status != ICE_SUCCESS) { ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n"); break; } + if (tlv_len > pfa_len) { + ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n"); + return ICE_ERR_INVAL_SIZE; + } if (tlv_sub_module_type == module_type) { if (tlv_len) { - *module_tlv = next_tlv; + *module_tlv = (u16)next_tlv; *module_tlv_len = tlv_len; return ICE_SUCCESS; -- 2.46.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-08-23 17:18:12.359392422 +0100 +++ 0089-net-ice-base-fix-potential-TLV-length-overflow.patch 2024-08-23 17:18:09.784430329 +0100 @@ -1 +1 @@ -From 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 Mon Sep 17 00:00:00 2001 +From c91760c3104a63a1eef5231860679be0c10ea145 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ] + @@ -16 +17,0 @@ -Cc: stable@dpdk.org @@ -27 +28 @@ -index 79b66fa70f..811bbc9bbc 100644 +index 7860006206..25f32d03e0 100644 @@ -30,2 +31,2 @@ -@@ -473,5 +473,5 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, - { +@@ -430,5 +430,5 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, + enum ice_status status; @@ -35 +35,0 @@ - int status; @@ -37 +37,2 @@ -@@ -490,10 +490,11 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, + status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); +@@ -446,10 +446,11 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, @@ -49 +50 @@ - if (status) { + if (status != ICE_SUCCESS) { @@ -51 +52 @@ -@@ -501,12 +502,16 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, +@@ -457,12 +458,16 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, @@ -56 +57 @@ - if (status) { + if (status != ICE_SUCCESS) { @@ -69 +70 @@ - return 0; + return ICE_SUCCESS;