diff mbox series

octeontx2-af: Add array index check

Message ID 20240328081648.13193-1-amishin@t-argos.ru (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series octeontx2-af: Add array index check | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 8 this patch: 8
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 10 of 10 maintainers
netdev/build_clang success Errors and warnings before: 955 this patch: 955
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 955 this patch: 955
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Aleksandr Mishin March 28, 2024, 8:16 a.m. UTC 
In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
Fix this bug by adding 'iter' value check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 91c6945ea1f9 ("octeontx2-af: cn10k: Add RPM MAC support")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Hariprasad Kelam March 28, 2024, 10:09 a.m. UTC | #1 
Hi,

> In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can
> reach value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the
> array.
> Fix this bug by adding 'iter' value check.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 

Since it is a fix, please add "net" to the subject.

Thanks,
Hariprasad k
> Fixes: 91c6945ea1f9 ("octeontx2-af: cn10k: Add RPM MAC support")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> index 72e060cf6b61..e9bf9231b018 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
> @@ -160,6 +160,8 @@ static int rvu_map_cgx_lmac_pf(struct rvu *rvu)
>  			continue;
>  		lmac_bmap = cgx_get_lmac_bmap(rvu_cgx_pdata(cgx, rvu));
>  		for_each_set_bit(iter, &lmac_bmap, rvu->hw->lmac_per_cgx)
> {
> +			if (iter >= MAX_LMAC_COUNT)
> +				continue;
>  			lmac = cgx_get_lmacid(rvu_cgx_pdata(cgx, rvu),
>  					      iter);
>  			rvu->pf2cgxlmac_map[pf] = cgxlmac_id_to_bmap(cgx,
> lmac);
> --
> 2.30.2
Jakub Kicinski March 28, 2024, 6:28 p.m. UTC | #2 
On Thu, 28 Mar 2024 11:16:48 +0300 Aleksandr Mishin wrote:
> In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
> value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
> Fix this bug by adding 'iter' value check.

I'm guessing you got the 14 from:

	hw->lmac_per_cgx = (nix_const >> 8) & 0xFULL;

Seems more reasonable to cap the size at that point than every use
afterwards.
Simon Horman March 30, 2024, 8:10 p.m. UTC | #3 
On Thu, Mar 28, 2024 at 11:28:18AM -0700, Jakub Kicinski wrote:
> On Thu, 28 Mar 2024 11:16:48 +0300 Aleksandr Mishin wrote:
> > In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
> > value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
> > Fix this bug by adding 'iter' value check.
> 
> I'm guessing you got the 14 from:
> 
> 	hw->lmac_per_cgx = (nix_const >> 8) & 0xFULL;
> 
> Seems more reasonable to cap the size at that point than every use
> afterwards.

FWIIW, I didn't find any other locations where this overflow might occur,
but I do agree that this approach makes sense.

I also notice that rvu_map_cgx_lmac_pf() has the following check near the
top. I think the lmac_per_cgx portion can be dropped, though that could be
a follow-up.

        if (cgx_cnt_max > 0xF || rvu->hw->lmac_per_cgx > 0xF)
                return -EINVAL;
diff mbox series

Patch

diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
index 72e060cf6b61..e9bf9231b018 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
@@ -160,6 +160,8 @@  static int rvu_map_cgx_lmac_pf(struct rvu *rvu)
 			continue;
 		lmac_bmap = cgx_get_lmac_bmap(rvu_cgx_pdata(cgx, rvu));
 		for_each_set_bit(iter, &lmac_bmap, rvu->hw->lmac_per_cgx) {
+			if (iter >= MAX_LMAC_COUNT)
+				continue;
 			lmac = cgx_get_lmacid(rvu_cgx_pdata(cgx, rvu),
 					      iter);
 			rvu->pf2cgxlmac_map[pf] = cgxlmac_id_to_bmap(cgx, lmac);