patch 'net/ice/base: fix potential TLV length overflow' has been queued to stable release 22.11.6

luca.boccassi at gmail.com luca.boccassi at gmail.com
Mon Jul 15 17:26:29 CEST 2024

Previous message (by thread): patch 'net/ice/base: fix check for existing switch rule' has been queued to stable release 22.11.6
Next message (by thread): patch 'net/ice/base: fix board type definition' has been queued to stable release 22.11.6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 22.11.6

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/17/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/ecb6c3285e65e5714c2febb650b21f00f8dbc9af

Thanks.

Luca Boccassi

---
>From ecb6c3285e65e5714c2febb650b21f00f8dbc9af Mon Sep 17 00:00:00 2001
From: Paul Greenwalt <paul.greenwalt at intel.com>
Date: Wed, 26 Jun 2024 12:41:33 +0100
Subject: [PATCH] net/ice/base: fix potential TLV length overflow

[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ]

It's possible that an NVM with an invalid tlv_len could cause an integer
overflow of next_tlv which can result an infinite loop.

Fix this issue by changing next_tlv from u16 to u32 to prevent overflow.
Also check that tlv_len is valid and less than pfa_len.

Fix an issue with conversion from 'u32' to 'u16', possible loss
of data compile errors by making appropriate casts.

Fixes: 77a649999047 ("net/ice/base: move functions from common to NVM module")

Signed-off-by: Paul Greenwalt <paul.greenwalt at intel.com>
Signed-off-by: Dan Nowlin <dan.nowlin at intel.com>
Signed-off-by: Ian Stokes <ian.stokes at intel.com>
Acked-by: Bruce Richardson <bruce.richardson at intel.com>
---
 drivers/net/ice/base/ice_nvm.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c
index 6550dda557..bc1a74460c 100644
--- a/drivers/net/ice/base/ice_nvm.c
+++ b/drivers/net/ice/base/ice_nvm.c
@@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 {
 	enum ice_status status;
 	u16 pfa_len, pfa_ptr;
-	u16 next_tlv;
+	u32 next_tlv;
 
 	status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr);
 	if (status != ICE_SUCCESS) {
@@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
 	 * of TLVs to find the requested one.
 	 */
 	next_tlv = pfa_ptr + 1;
-	while (next_tlv < pfa_ptr + pfa_len) {
+	while (next_tlv < ((u32)pfa_ptr + pfa_len)) {
 		u16 tlv_sub_module_type;
 		u16 tlv_len;
 
 		/* Read TLV type */
-		status = ice_read_sr_word(hw, next_tlv, &tlv_sub_module_type);
+		status = ice_read_sr_word(hw, (u16)next_tlv,
+					  &tlv_sub_module_type);
 		if (status != ICE_SUCCESS) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV type.\n");
 			break;
 		}
 		/* Read TLV length */
-		status = ice_read_sr_word(hw, next_tlv + 1, &tlv_len);
+		status = ice_read_sr_word(hw, (u16)(next_tlv + 1), &tlv_len);
 		if (status != ICE_SUCCESS) {
 			ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n");
 			break;
 		}
+		if (tlv_len > pfa_len) {
+			ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n");
+			return ICE_ERR_INVAL_SIZE;
+		}
 		if (tlv_sub_module_type == module_type) {
 			if (tlv_len) {
-				*module_tlv = next_tlv;
+				*module_tlv = (u16)next_tlv;
 				*module_tlv_len = tlv_len;
 				return ICE_SUCCESS;
 			}
-- 
2.39.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-07-15 16:19:37.212962316 +0100
+++ 0051-net-ice-base-fix-potential-TLV-length-overflow.patch	2024-07-15 16:19:34.612207403 +0100
@@ -1 +1 @@
-From 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 Mon Sep 17 00:00:00 2001
+From ecb6c3285e65e5714c2febb650b21f00f8dbc9af Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 2c5f6b43524e9dc6cc25c67a536ee6564ea71e09 ]
+
@@ -16 +17,0 @@
-Cc: stable at dpdk.org
@@ -27 +28 @@
-index 79b66fa70f..811bbc9bbc 100644
+index 6550dda557..bc1a74460c 100644
@@ -30,2 +31 @@
-@@ -472,7 +472,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
- 		       u16 module_type)
+@@ -474,7 +474,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
@@ -32,0 +33 @@
+ 	enum ice_status status;
@@ -36 +36,0 @@
- 	int status;
@@ -39 +39,2 @@
-@@ -489,25 +489,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
+ 	if (status != ICE_SUCCESS) {
+@@ -490,25 +490,30 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,
@@ -52 +53 @@
- 		if (status) {
+ 		if (status != ICE_SUCCESS) {
@@ -59 +60 @@
- 		if (status) {
+ 		if (status != ICE_SUCCESS) {
@@ -72 +73 @@
- 				return 0;
+ 				return ICE_SUCCESS;

Previous message (by thread): patch 'net/ice/base: fix check for existing switch rule' has been queued to stable release 22.11.6
Next message (by thread): patch 'net/ice/base: fix board type definition' has been queued to stable release 22.11.6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list