[dpdk-dev] [PATCH v2 1/1] raw/ifpga/base: check size before assigning
Zhang, Tianfei
tianfei.zhang at intel.com
Wed Apr 14 04:46:21 CEST 2021
> -----Original Message-----
> From: Aaron Conole <aconole at redhat.com>
> Sent: 2021年4月9日 22:56
> To: Yigit, Ferruh <ferruh.yigit at intel.com>
> Cc: David Marchand <david.marchand at redhat.com>; stable at dpdk.org;
> Zhang, Tianfei <tianfei.zhang at intel.com>; Huang, Wei
> <wei.huang at intel.com>; Zhang, Qi Z <qi.z.zhang at intel.com>; Xu, Rosen
> <rosen.xu at intel.com>; dev at dpdk.org; Mcnamara, John
> <john.mcnamara at intel.com>
> Subject: Re: [PATCH v2 1/1] raw/ifpga/base: check size before assigning
>
> Ferruh Yigit <ferruh.yigit at intel.com> writes:
>
> > On 4/8/2021 9:51 AM, Wei Huang wrote:
> >> In max10_staging_area_init(), variable "size" from fdt_get_reg() may
> >> be invalid, it should be checked before assigning to member variable
> >> "staging_area_size" of structure "intel_max10_device".
> >>
> >> Coverity issue: 367480, 367482
> >> Fixes: 96ebfcf8125c ("raw/ifpga/base: add SPI and MAX10 device
> >> driver")
> >>
> >> Signed-off-by: Wei Huang <wei.huang at intel.com>
> >> ---
> >> v2: check size before assigning to staging_area_size
> >> ---
> >> drivers/raw/ifpga/base/opae_intel_max10.c | 2 +-
> >> drivers/raw/ifpga/base/opae_intel_max10.h | 1 +
> >> 2 files changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c
> >> b/drivers/raw/ifpga/base/opae_intel_max10.c
> >> index 443e248fb3..c223fafa03 100644
> >> --- a/drivers/raw/ifpga/base/opae_intel_max10.c
> >> +++ b/drivers/raw/ifpga/base/opae_intel_max10.c
> >> @@ -593,7 +593,7 @@ static int max10_staging_area_init(struct
> intel_max10_device *dev)
> >> continue;
> >> ret = fdt_get_reg(fdt_root, offset, 0, &start, &size);
> >> - if (!ret) {
> >> + if (!ret && (size <= MAX_STAGING_AREA_SIZE)) {
> >> dev->staging_area_base = start;
> >> dev->staging_area_size = size;
> >> }
> >> diff --git a/drivers/raw/ifpga/base/opae_intel_max10.h
> >> b/drivers/raw/ifpga/base/opae_intel_max10.h
> >> index 670683f017..e7142d6f0d 100644
> >> --- a/drivers/raw/ifpga/base/opae_intel_max10.h
> >> +++ b/drivers/raw/ifpga/base/opae_intel_max10.h
> >> @@ -182,6 +182,7 @@ struct opae_retimer_status {
> >> #define SBUS_VERSION GENMASK(31, 16)
> >> #define DFT_MAX_SIZE 0x7e0000
> >> +#define MAX_STAGING_AREA_SIZE 0x3800000
> >> int max10_reg_read(struct intel_max10_device *dev,
> >> unsigned int reg, unsigned int *val);
> >>
> >
> > Hi Aaron, David,
> >
> > The data flow is complex for this coverity issues [1], at least I
> > can't confirm that change fixes the issue.
> >
> > Are you aware of any way to confirm this coverity issue before merging it?
>
> Not generically. :-/
>
> We need someone that understands the data flow and the coverity splat to
> know that the fix is correct. Coverity even ratelimits how many outstanding
> submissions we can post, iirc, so we don't get to push patch sets (unless we
> pay? I don't recall if there's an option for that).
This fix is looks good for me. The fdt_get_reg() function just read out the content of some items from DTS file,
We call the libfdt library API to do this.
The Coverity just assume some attacker broken the DTS file or invoke the function with arbitrary values, it is not safety,
So this patch add some checking after the function return.
>
> > [1]
> > https://scan4.coverity.com/reports.htm#v26325/p10075/fileInstanceId=10
> > 0181086&defectInstanceId=14238477&mergedDefectId=367480
More information about the dev
mailing list