patch 'net/ice/base: fix potential TLV length overflow' has been queued to stable release 23.11.2

Xueming Li xuemingl at nvidia.com
Mon Aug 12 14:48:56 CEST 2024

Previous message (by thread): patch 'net/ice/base: fix check for existing switch rule' has been queued to stable release 23.11.2
Next message (by thread): patch 'net/ice/base: fix board type definition' has been queued to stable release 23.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 23.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/14/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=5167b4d2d3921f86591da1798acba43a902514d6

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 5167b4d2d3921f86591da1798acba43a902514d6 Mon Sep 17 00:00:00 2001
From: Paul Greenwalt <paul.greenwalt at intel.com>
Date: Wed, 26 Jun 2024 12:41:33 +0100
Subject: [PATCH] net/ice/base: fix potential TLV length overflow
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ]

It's possible that an NVM with an invalid tlv_len could cause an integer
overflow of next_tlv which can result an infinite loop.

Fix this issue by changing next_tlv from u16 to u32 to prevent overflow.
Also check that tlv_len is valid and less than pfa_len.

Fix an issue with conversion from 'u32' to 'u16', possible loss
of data compile errors by making appropriate casts.

Fixes: 77a649999047 ("net/ice/base: move functions from common to NVM module")

Signed-off-by: Paul Greenwalt <paul.greenwalt at intel.com>
Signed-off-by: Dan Nowlin <dan.nowlin at intel.com>
Signed-off-by: Ian Stokes <ian.stokes at intel.com>
Acked-by: Bruce Richardson <bruce.richardson at intel.com>
---
 drivers/net/ice/base/ice_nvm.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c
index c112d3a27e..30e603127e 100644
--- a/drivers/net/ice/base/ice_nvm.c
+++ b/drivers/net/ice/base/ice_nvm.c
@@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 {
 	enum ice_status status;
 	u16 pfa_len, pfa_ptr;
-	u16 next_tlv;
+	u32 next_tlv;
 
 	status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr);
 	if (status != ICE_SUCCESS) {
@@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 	 * of TLVs to find the requested one.
 	 */
 	next_tlv = pfa_ptr + 1;
-	while (next_tlv < pfa_ptr + pfa_len) {
+	while (next_tlv < ((u32)pfa_ptr + pfa_len)) {
 		u16 tlv_sub_module_type;
 		u16 tlv_len;
 
 		/* Read TLV type */
-		status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type);
-		if (status != ICE_SUCCESS) {
+		status = ice_read_sr_word(hw, (u16)next_tlv,
+					  &tlv_sub_module_type);
+		if (status) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n");
 			break;
 		}
 		/* Read TLV length */
-		status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len);
+		status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len);
 		if (status != ICE_SUCCESS) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n");
 			break;
 		}
+		if (tlv_len > pfa_len) {
+			ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n");
+			return ICE_ERR_INVAL_SIZE;
+		}
 		if (tlv_sub_module_type == module_type) {
 			if (tlv_len) {
-				*module_tlv = next_tlv;
+				*module_tlv = (u16)next_tlv;
 				*module_tlv_len = tlv_len;
 				return ICE_SUCCESS;
 			}
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-08-12 20:44:04.540225538 +0800
+++ 0059-net-ice-base-fix-potential-TLV-length-overflow.patch	2024-08-12 20:44:02.125069300 +0800
@@ -1 +1 @@
-From 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 Mon Sep 17 00:00:00 2001
+From 5167b4d2d3921f86591da1798acba43a902514d6 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ]
@@ -16 +18,0 @@
-Cc: stable at dpdk.org
@@ -23,2 +25,2 @@
- drivers/net/ice/base/ice_nvm.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
+ drivers/net/ice/base/ice_nvm.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
@@ -27 +29 @@
-index 79b66fa70f..811bbc9bbc 100644
+index c112d3a27e..30e603127e 100644
@@ -30,2 +32 @@
-@@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
- 		       u16 module_type)
+@@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
@@ -32,0 +34 @@
+ 	enum ice_status status;
@@ -36 +37,0 @@
- 	int status;
@@ -39 +40,2 @@
-@@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
+ 	if (status != ICE_SUCCESS) {
+@@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
@@ -49,0 +52 @@
+-		if (status != ICE_SUCCESS) {
@@ -52 +55 @@
- 		if (status) {
++		if (status) {
@@ -59 +62 @@
- 		if (status) {
+ 		if (status != ICE_SUCCESS) {
@@ -72 +75 @@
- 				return 0;
+ 				return ICE_SUCCESS;

Previous message (by thread): patch 'net/ice/base: fix check for existing switch rule' has been queued to stable release 23.11.2
Next message (by thread): patch 'net/ice/base: fix board type definition' has been queued to stable release 23.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list