Message ID | 20231123173630.32919-1-elena.salomatkina.cmc@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | octeontx2-af: Fix possible buffer overflow | expand |
On Thu, Nov 23, 2023 at 08:36:30PM +0300, Elena Salomatkina wrote: > A loop in rvu_mbox_handler_nix_bandprof_free() contains > a break if (idx == MAX_BANDPROF_PER_PFFUNC), > but if idx may reach MAX_BANDPROF_PER_PFFUNC > buffer '(*req->prof_idx)[layer]' overflow happens before that check. > > The patch moves the break to the > beginning of the loop. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config support"). > Signed-off-by: Elena Salomatkina <elena.salomatkina.cmc@gmail.com> Thanks Elena, I agree with your analysis and that this seems to be an appropriate fix for the problem. As this is a fix, it should be targeted at the net, as opposed to net-next, tree. Please keep this in mind for future patch submissions. Subject: [PATCH net] ... Link https://docs.kernel.org/process/maintainer-netdev.html The above nit notwithstanding, Reviewed-by: Simon Horman <horms@kernel.org>
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c index 23c2f2ed2fb8..c112c71ff576 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c @@ -5505,6 +5505,8 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu *rvu, ipolicer = &nix_hw->ipolicer[layer]; for (idx = 0; idx < req->prof_count[layer]; idx++) { + if (idx == MAX_BANDPROF_PER_PFFUNC) + break; prof_idx = req->prof_idx[layer][idx]; if (prof_idx >= ipolicer->band_prof.max || ipolicer->pfvf_map[prof_idx] != pcifunc) @@ -5518,8 +5520,6 @@ int rvu_mbox_handler_nix_bandprof_free(struct rvu *rvu, ipolicer->pfvf_map[prof_idx] = 0x00; ipolicer->match_id[prof_idx] = 0; rvu_free_rsrc(&ipolicer->band_prof, prof_idx); - if (idx == MAX_BANDPROF_PER_PFFUNC) - break; } } mutex_unlock(&rvu->rsrc_lock);
A loop in rvu_mbox_handler_nix_bandprof_free() contains a break if (idx == MAX_BANDPROF_PER_PFFUNC), but if idx may reach MAX_BANDPROF_PER_PFFUNC buffer '(*req->prof_idx)[layer]' overflow happens before that check. The patch moves the break to the beginning of the loop. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config support"). Signed-off-by: Elena Salomatkina <elena.salomatkina.cmc@gmail.com> --- drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)