Message ID | 20231124210802.109763-1-elena.salomatkina.cmc@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | ad31c629ca3c87f6d557488c1f9faaebfbcd203c |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net] octeontx2-af: Fix possible buffer overflow | expand |
On Sat, 25 Nov 2023 00:08:02 +0300 Elena Salomatkina wrote: > A loop in rvu_mbox_handler_nix_bandprof_free() contains > a break if (idx == MAX_BANDPROF_PER_PFFUNC), > but if idx may reach MAX_BANDPROF_PER_PFFUNC > buffer '(*req->prof_idx)[layer]' overflow happens before that check. > > The patch moves the break to the > beginning of the loop. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config support"). > Signed-off-by: Elena Salomatkina <elena.salomatkina.cmc@gmail.com> > Reviewed-by: Simon Horman <horms@kernel.org> Marvell folks, at least one of you has to review this. Please see: https://docs.kernel.org/next/maintainer/feature-and-driver-maintainers.html
Hi, >-----Original Message----- >From: Elena Salomatkina <elena.salomatkina.cmc@gmail.com> >Sent: Saturday, November 25, 2023 2:38 AM >To: Sunil Kovvuri Goutham <sgoutham@marvell.com> >Cc: Elena Salomatkina <elena.salomatkina.cmc@gmail.com>; Linu Cherian ><lcherian@marvell.com>; Geethasowjanya Akula <gakula@marvell.com>; >Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Hariprasad Kelam ><hkelam@marvell.com>; Subbaraya Sundeep Bhatta <sbhatta@marvell.com>; >David S. Miller <davem@davemloft.net>; Eric Dumazet ><edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo Abeni ><pabeni@redhat.com>; netdev@vger.kernel.org; linux- >kernel@vger.kernel.org; lvc-project@linuxtesting.org; Simon Horman ><horms@kernel.org> >Subject: [EXT] [PATCH net] octeontx2-af: Fix possible buffer overflow > >---------------------------------------------------------------------- >A loop in rvu_mbox_handler_nix_bandprof_free() contains a break if (idx == >MAX_BANDPROF_PER_PFFUNC), but if idx may reach >MAX_BANDPROF_PER_PFFUNC buffer '(*req->prof_idx)[layer]' overflow >happens before that check. > >The patch moves the break to the >beginning of the loop. > >Found by Linux Verification Center (linuxtesting.org) with SVACE. > >Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config >support"). >Signed-off-by: Elena Salomatkina <elena.salomatkina.cmc@gmail.com> >Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com> Thanks, Sundeep >--- > drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c >b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c >index 23c2f2ed2fb8..c112c71ff576 100644 >--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c >+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c >@@ -5505,6 +5505,8 @@ int rvu_mbox_handler_nix_bandprof_free(struct >rvu *rvu, > > ipolicer = &nix_hw->ipolicer[layer]; > for (idx = 0; idx < req->prof_count[layer]; idx++) { >+ if (idx == MAX_BANDPROF_PER_PFFUNC) >+ break; > prof_idx = req->prof_idx[layer][idx]; > if (prof_idx >= ipolicer->band_prof.max || > ipolicer->pfvf_map[prof_idx] != pcifunc) @@ - >5518,8 +5520,6 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu >*rvu, > ipolicer->pfvf_map[prof_idx] = 0x00; > ipolicer->match_id[prof_idx] = 0; > rvu_free_rsrc(&ipolicer->band_prof, prof_idx); >- if (idx == MAX_BANDPROF_PER_PFFUNC) >- break; > } > } > mutex_unlock(&rvu->rsrc_lock); >-- >2.34.1
Hello: This patch was applied to netdev/net.git (main) by Paolo Abeni <pabeni@redhat.com>: On Sat, 25 Nov 2023 00:08:02 +0300 you wrote: > A loop in rvu_mbox_handler_nix_bandprof_free() contains > a break if (idx == MAX_BANDPROF_PER_PFFUNC), > but if idx may reach MAX_BANDPROF_PER_PFFUNC > buffer '(*req->prof_idx)[layer]' overflow happens before that check. > > The patch moves the break to the > beginning of the loop. > > [...] Here is the summary with links: - [net] octeontx2-af: Fix possible buffer overflow https://git.kernel.org/netdev/net/c/ad31c629ca3c You are awesome, thank you!
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c index 23c2f2ed2fb8..c112c71ff576 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c @@ -5505,6 +5505,8 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu *rvu, ipolicer = &nix_hw->ipolicer[layer]; for (idx = 0; idx < req->prof_count[layer]; idx++) { + if (idx == MAX_BANDPROF_PER_PFFUNC) + break; prof_idx = req->prof_idx[layer][idx]; if (prof_idx >= ipolicer->band_prof.max || ipolicer->pfvf_map[prof_idx] != pcifunc) @@ -5518,8 +5520,6 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu *rvu, ipolicer->pfvf_map[prof_idx] = 0x00; ipolicer->match_id[prof_idx] = 0; rvu_free_rsrc(&ipolicer->band_prof, prof_idx); - if (idx == MAX_BANDPROF_PER_PFFUNC) - break; } } mutex_unlock(&rvu->rsrc_lock);