patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Bruce Richardson <bruce.richardson@intel.com>
To: stable@dpdk.org
Cc: ktraynor@redhat.com, Fabio Pricoco <fabio.pricoco@intel.com>,
	Jacob Keller <jacob.e.keller@intel.com>,
	Soumyadeep Hore <soumyadeep.hore@intel.com>,
	Bruce Richardson <bruce.richardson@intel.com>
Subject: [PATCH 21.11] net/ice/base: fix iteration of TLVs in Preserved Fields Area
Date: Wed,  4 Dec 2024 13:56:25 +0000	[thread overview]
Message-ID: <20241204135625.2841607-1-bruce.richardson@intel.com> (raw)

From: Fabio Pricoco <fabio.pricoco@intel.com>

Backport of commit dcb760bf0f95 ("net/ice/base: fix iteration of TLVs in
Preserved Fields Area"), for 21.11 release, replacing the use of
__builtin_add_overflow with an inline function to avoid breaking
RHEL/Centos 7.

The ice_get_pfa_module_tlv() function iterates over the Preserved Fields
Area to read data from the Shadow RAM, including the Part Board Assembly
data, among others.

If the specific TLV being requested is not found in the current NVM, the
code will read past the end of the PFA, misinterpreting the last word of
the PFA and the word just after the PFA as another TLV. This typically
results in one extra iteration before the length check of the while loop
is triggered.

Correct the logic for determining the maximum PFA offset to include the
extra last word. Additionally, make the driver robust against overflows
by using check_add_overflow. This ensures that even if the NVM provides
bogus data, the driver will not overflow, and will instead log a useful
warning message. The check for whether the TLV length exceeds the PFA
length is also removed, in favor of relying on the overflow warning
instead.

Fixes: 5d0b7b5fc491 ("net/ice/base: add read PBA module function")
Cc: stable@dpdk.org

Signed-off-by: Fabio Pricoco <fabio.pricoco@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Soumyadeep Hore <soumyadeep.hore@intel.com>
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
 drivers/net/ice/base/ice_nvm.c | 43 ++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c
index 48e0d418e2..0d160a30a0 100644
--- a/drivers/net/ice/base/ice_nvm.c
+++ b/drivers/net/ice/base/ice_nvm.c
@@ -426,6 +426,15 @@ enum ice_status ice_read_sr_word(struct ice_hw *hw, u16 offset, u16 *data)
 	return status;
 }
 
+static inline bool
+check_add_overflow(uint16_t a, uint16_t b, uint16_t *out)
+{
+	uint32_t val = (uint32_t)a + (uint32_t)b;
+	*out = (uint16_t)val;
+
+	return (val > UINT16_MAX);
+}
+
 /**
  * ice_get_pfa_module_tlv - Reads sub module TLV from NVM PFA
  * @hw: pointer to hardware structure
@@ -442,8 +451,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 		       u16 module_type)
 {
 	enum ice_status status;
-	u16 pfa_len, pfa_ptr;
-	u32 next_tlv;
+	u16 pfa_len, pfa_ptr, next_tlv, max_tlv;
 
 	status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr);
 	if (status != ICE_SUCCESS) {
@@ -455,11 +463,23 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 		ice_debug(hw, ICE_DBG_INIT, "Failed to read PFA length.\n");
 		return status;
 	}
-	/* Starting with first TLV after PFA length, iterate through the list
+
+	if (check_add_overflow(pfa_ptr, (u16)(pfa_len - 1), &max_tlv)) {
+		ice_debug(hw, ICE_DBG_INIT, "PFA starts at offset %u. PFA length of %u caused 16-bit arithmetic overflow.\n",
+				  pfa_ptr, pfa_len);
+		return ICE_ERR_INVAL_SIZE;
+	}
+
+	/* The Preserved Fields Area contains a sequence of TLVs which define
+	 * its contents. The PFA length includes all of the TLVs, plus its
+	 * initial length word itself, *and* one final word at the end of all
+	 * of the TLVs.
+	 *
+	 * Starting with first TLV after PFA length, iterate through the list
 	 * of TLVs to find the requested one.
 	 */
 	next_tlv = pfa_ptr + 1;
-	while (next_tlv < ((u32)pfa_ptr + pfa_len)) {
+	while (next_tlv < max_tlv) {
 		u16 tlv_sub_module_type;
 		u16 tlv_len;
 
@@ -476,10 +496,6 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n");
 			break;
 		}
-		if (tlv_len > pfa_len) {
-			ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n");
-			return ICE_ERR_INVAL_SIZE;
-		}
 		if (tlv_sub_module_type == module_type) {
 			if (tlv_len) {
 				*module_tlv = (u16)next_tlv;
@@ -488,10 +504,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 			}
 			return ICE_ERR_INVAL_SIZE;
 		}
-		/* Check next TLV, i.e. current TLV pointer + length + 2 words
-		 * (for current TLV's type and length)
-		 */
-		next_tlv = next_tlv + tlv_len + 2;
+
+		if (check_add_overflow(next_tlv, (u16)2, &next_tlv) ||
+		    check_add_overflow(next_tlv, tlv_len, &next_tlv)) {
+			ice_debug(hw, ICE_DBG_INIT, "TLV of type %u and length 0x%04x caused 16-bit arithmetic overflow. The PFA starts at 0x%04x and has length of 0x%04x\n",
+					  tlv_sub_module_type, tlv_len, pfa_ptr, pfa_len);
+			return ICE_ERR_INVAL_SIZE;
+		}
 	}
 	/* Module does not exist */
 	return ICE_ERR_DOES_NOT_EXIST;
-- 
2.43.0


             reply	other threads:[~2024-12-04 13:56 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-04 13:56 Bruce Richardson [this message]
2024-12-04 15:56 ` Kevin Traynor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241204135625.2841607-1-bruce.richardson@intel.com \
    --to=bruce.richardson@intel.com \
    --cc=fabio.pricoco@intel.com \
    --cc=jacob.e.keller@intel.com \
    --cc=ktraynor@redhat.com \
    --cc=soumyadeep.hore@intel.com \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).