| Message ID | 20240702140124.19096-1-amishin@t-argos.ru (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [v2] fsl/fman: Validate cell-index value obtained from Device Tree | expand |
On 7/2/24 10:01, Aleksandr Mishin wrote: > [You don't often get email from amishin@t-argos.ru. Learn why this is important at https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2faka.ms%2fLearnAboutSenderIdentification&umid=ca782a5b-a3fd-4738-b50c-ffbd8e52e50f&auth=d807158c60b7d2502abde8a2fc01f40662980862-ac0deac714bbe85d389fd2711a17d0113034b3ca ] > > Cell-index value is obtained from Device Tree and then used to calculate > the index for accessing arrays port_mfl[], mac_mfl[] and intr_mng[]. > In case of broken DT due to any error cell-index can contain any value > and it is possible to go beyond the array boundaries which can lead > at least to memory corruption. > Validate cell-index value obtained from Device Tree. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") > Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> > --- > v1->v2: Move check to mac.c to avoid allmodconfig build errors and reference leaks > > drivers/net/ethernet/freescale/fman/fman.c | 1 - > drivers/net/ethernet/freescale/fman/fman.h | 3 +++ > drivers/net/ethernet/freescale/fman/mac.c | 4 ++++ > 3 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c > index d96028f01770..fb416d60dcd7 100644 > --- a/drivers/net/ethernet/freescale/fman/fman.c > +++ b/drivers/net/ethernet/freescale/fman/fman.c > @@ -24,7 +24,6 @@ > > /* General defines */ > #define FMAN_LIODN_TBL 64 /* size of LIODN table */ > -#define MAX_NUM_OF_MACS 10 > #define FM_NUM_OF_FMAN_CTRL_EVENT_REGS 4 > #define BASE_RX_PORTID 0x08 > #define BASE_TX_PORTID 0x28 > diff --git a/drivers/net/ethernet/freescale/fman/fman.h b/drivers/net/ethernet/freescale/fman/fman.h > index 2ea575a46675..74eb62eba0d7 100644 > --- a/drivers/net/ethernet/freescale/fman/fman.h > +++ b/drivers/net/ethernet/freescale/fman/fman.h > @@ -74,6 +74,9 @@ > #define BM_MAX_NUM_OF_POOLS 64 /* Buffers pools */ > #define FMAN_PORT_MAX_EXT_POOLS_NUM 8 /* External BM pools per Rx port */ > > +/* General defines */ > +#define MAX_NUM_OF_MACS 10 > + > struct fman; /* FMan data */ > > /* Enum for defining port types */ > diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c > index 9767586b4eb3..ac9ad5e67b44 100644 > --- a/drivers/net/ethernet/freescale/fman/mac.c > +++ b/drivers/net/ethernet/freescale/fman/mac.c > @@ -247,6 +247,10 @@ static int mac_probe(struct platform_device *_of_dev) > dev_err(dev, "failed to read cell-index for %pOF\n", mac_node); > return -EINVAL; > } > + if (val >= MAX_NUM_OF_MACS) { > + dev_err(dev, "cell-index value is too big for %pOF\n", mac_node); > + return -EINVAL; > + } > priv->cell_index = (u8)val; > > /* Get the MAC address */ > -- > 2.30.2 > Reviewed-by: Sean Anderson <sean.anderson@seco.com> [StudioX, SECO SpA]<https://www.seco.com/applications/studiox>
diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c index d96028f01770..fb416d60dcd7 100644 --- a/drivers/net/ethernet/freescale/fman/fman.c +++ b/drivers/net/ethernet/freescale/fman/fman.c @@ -24,7 +24,6 @@ /* General defines */ #define FMAN_LIODN_TBL 64 /* size of LIODN table */ -#define MAX_NUM_OF_MACS 10 #define FM_NUM_OF_FMAN_CTRL_EVENT_REGS 4 #define BASE_RX_PORTID 0x08 #define BASE_TX_PORTID 0x28 diff --git a/drivers/net/ethernet/freescale/fman/fman.h b/drivers/net/ethernet/freescale/fman/fman.h index 2ea575a46675..74eb62eba0d7 100644 --- a/drivers/net/ethernet/freescale/fman/fman.h +++ b/drivers/net/ethernet/freescale/fman/fman.h @@ -74,6 +74,9 @@ #define BM_MAX_NUM_OF_POOLS 64 /* Buffers pools */ #define FMAN_PORT_MAX_EXT_POOLS_NUM 8 /* External BM pools per Rx port */ +/* General defines */ +#define MAX_NUM_OF_MACS 10 + struct fman; /* FMan data */ /* Enum for defining port types */ diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c index 9767586b4eb3..ac9ad5e67b44 100644 --- a/drivers/net/ethernet/freescale/fman/mac.c +++ b/drivers/net/ethernet/freescale/fman/mac.c @@ -247,6 +247,10 @@ static int mac_probe(struct platform_device *_of_dev) dev_err(dev, "failed to read cell-index for %pOF\n", mac_node); return -EINVAL; } + if (val >= MAX_NUM_OF_MACS) { + dev_err(dev, "cell-index value is too big for %pOF\n", mac_node); + return -EINVAL; + } priv->cell_index = (u8)val; /* Get the MAC address */
Cell-index value is obtained from Device Tree and then used to calculate the index for accessing arrays port_mfl[], mac_mfl[] and intr_mng[]. In case of broken DT due to any error cell-index can contain any value and it is possible to go beyond the array boundaries which can lead at least to memory corruption. Validate cell-index value obtained from Device Tree. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> --- v1->v2: Move check to mac.c to avoid allmodconfig build errors and reference leaks drivers/net/ethernet/freescale/fman/fman.c | 1 - drivers/net/ethernet/freescale/fman/fman.h | 3 +++ drivers/net/ethernet/freescale/fman/mac.c | 4 ++++ 3 files changed, 7 insertions(+), 1 deletion(-)