[PATCH] net/txgbe: fix out of bound access
Ferruh Yigit
ferruh.yigit at amd.com
Fri Nov 17 10:15:20 CET 2023
On 11/17/2023 2:45 AM, Jiawen Wu wrote:
> On Thursday, November 16, 2023 10:07 PM, Ferruh.Yigit at amd.com wrote:
>> Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:
>>
>> In function 'txgbe_host_interface_command',
>> inlined from 'txgbe_host_interface_command'
>> at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
>> inlined from 'txgbe_hic_reset'
>> at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
>> ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
>> error: array subscript 2 is outside array bounds ofr
>> 'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
>> 145 | buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>> ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
>> ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
>> note: at offset 8 into object 'reset_cmd' of size 8
>> 331 | struct txgbe_hic_reset reset_cmd;
>> | ^~~~~~~~~
>>
>> Access to buffer done based on command code, the case complained by
>> FW_RESET_CMD has short buffer but this code path only taken with command
>> 0x30, so this shouldn't be a problem.
>>
>> Adding a size check before accessing to the buffer, as this is control
>> plane code, additional check shouldn't hurt.
>>
>> [1]
>> https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log
>>
>> [2]
>> gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912
>>
>> Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
>> Cc: stable at dpdk.org
>>
>> Reported-by: Luca Boccassi <luca.boccassi at microsoft.com>
>> Signed-off-by: Ferruh Yigit <ferruh.yigit at amd.com>
>> ---
>> Cc: jiawenwu at trustnetic.com
>> Cc: jianwang at trustnetic.com
>>
>> @Luca, I am not sure if this additional check will satisfy the compiler,
>> can you please verify the patch?
>>
>> @Jiawen, there is a specific handling for command 0x30, from comment it
>> looks like it is Read Flash command, but it looks like this command is
>> not used by the driver, if this is correct can we remove the check
>> completely? Removing can be simpler way to fix the compiler error.
>
> Thanks Ferruh. This command has been removed because flash can be read
> directly by the driver. The check can be simply removed.
>
OK, I will send a new version for it.
>> ---
>> drivers/net/txgbe/base/txgbe_mng.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
>> index df7145094f84..9797b1b8b5da 100644
>> --- a/drivers/net/txgbe/base/txgbe_mng.c
>> +++ b/drivers/net/txgbe/base/txgbe_mng.c
>> @@ -147,6 +147,10 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
>> * two byes instead of one byte
>> */
>> if (resp->cmd == 0x30) {
>> + if (length < ((dword_len + 2) << 2)) {
>> + err = TXGBE_ERR_HOST_INTERFACE_COMMAND;
>> + goto rel_out;
>> + }
>> for (; bi < dword_len + 2; bi++)
>> buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>>
>> --
>> 2.34.1
>>
>
More information about the dev
mailing list