qed: fix uninit pointer read in qed_mcp_nvm_info_populate()

Message ID	20241211134041.65860-2-gianf.trad@gmail.com (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D076023FD00; Wed, 11 Dec 2024 13:42:35 +0000 (UTC) From: Gianfranco Trad <gianf.trad@gmail.com> To: manishc@marvell.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, Gianfranco Trad <gianf.trad@gmail.com> Subject: [PATCH] qed: fix uninit pointer read in qed_mcp_nvm_info_populate() Date: Wed, 11 Dec 2024 14:40:42 +0100 Message-ID: <20241211134041.65860-2-gianf.trad@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	qed: fix uninit pointer read in qed_mcp_nvm_info_populate() \| expand qed: fix uninit pointer read in qed_mcp_nvm_info_populate()

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 6 of 6 maintainers
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 2 this patch: 2
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2024-12-12--00-00 (tests: 795)

Gianfranco Trad Dec. 11, 2024, 1:40 p.m. UTC

Coverity reports an uninit pointer read in qed_mcp_nvm_info_populate().
If qed_mcp_bist_nvm_get_num_images() returns -EOPNOTSUPP, this leads to
jump to label out with nvm_info.image_att being uninit while assigning it
to p_hwfn->nvm_info.image_att.
Add check on rc against -EOPNOTSUPP to avoid such uninit pointer read.

Closes: https://scan5.scan.coverity.com/#/project-view/63204/10063?selectedIssue=1636666
Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
---
Note:
- Fixes: tag should be "7a0ea70da56e net/qed: allow old cards not supporting "num_images" to work" ?
  
 drivers/net/ethernet/qlogic/qed/qed_mcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Simon Horman Dec. 12, 2024, 5:04 p.m. UTC | #1

On Wed, Dec 11, 2024 at 02:40:42PM +0100, Gianfranco Trad wrote:
> Coverity reports an uninit pointer read in qed_mcp_nvm_info_populate().
> If qed_mcp_bist_nvm_get_num_images() returns -EOPNOTSUPP, this leads to
> jump to label out with nvm_info.image_att being uninit while assigning it
> to p_hwfn->nvm_info.image_att.
> Add check on rc against -EOPNOTSUPP to avoid such uninit pointer read.
> 
> Closes: https://scan5.scan.coverity.com/#/project-view/63204/10063?selectedIssue=1636666
> Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
> ---
> Note:
> - Fixes: tag should be "7a0ea70da56e net/qed: allow old cards not supporting "num_images" to work" ?
>   
>  drivers/net/ethernet/qlogic/qed/qed_mcp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> index b45efc272fdb..127943b39f61 100644
> --- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> +++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> @@ -3387,7 +3387,7 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn)
>  	}
>  out:
>  	/* Update hwfn's nvm_info */
> -	if (nvm_info.num_images) {
> +	if (nvm_info.num_images && rc != -EOPNOTSUPP) {
>  		p_hwfn->nvm_info.num_images = nvm_info.num_images;
>  		kfree(p_hwfn->nvm_info.image_att);
>  		p_hwfn->nvm_info.image_att = nvm_info.image_att;

Are you sure that nvm_info.num_images can be non-zero if rc == -EOPNOTSUPP?

The cited commit state:

    Commit 43645ce03e00 ("qed: Populate nvm image attribute shadow.")
    added support for populating flash image attributes, notably
    "num_images". However, some cards were not able to return this
    information. In such cases, the driver would return EINVAL, causing the
    driver to exit.

    Add check to return EOPNOTSUPP instead of EINVAL when the card is not
    able to return these information. The caller function already handles
    EOPNOTSUPP without error.

So I would expect that nvm_info.num_images is 0.

If not, perhaps an alternate fix is to make that so, either by setting
it in qed_mcp_bist_nvm_get_num_images, or where the return value of
qed_mcp_bist_nvm_get_num_images is checked (just before the goto out).

And, in any case I think some testing is in order.

Gianfranco Trad Dec. 13, 2024, 12:13 p.m. UTC | #2

On 12/12/24 18:04, Simon Horman wrote:
> On Wed, Dec 11, 2024 at 02:40:42PM +0100, Gianfranco Trad wrote:
>> Coverity reports an uninit pointer read in qed_mcp_nvm_info_populate().
>> If qed_mcp_bist_nvm_get_num_images() returns -EOPNOTSUPP, this leads to
>> jump to label out with nvm_info.image_att being uninit while assigning it
>> to p_hwfn->nvm_info.image_att.
>> Add check on rc against -EOPNOTSUPP to avoid such uninit pointer read.
>>
>> Closes: https://scan5.scan.coverity.com/#/project-view/63204/10063?selectedIssue=1636666
>> Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
>> ---
>> Note:
>> - Fixes: tag should be "7a0ea70da56e net/qed: allow old cards not supporting "num_images" to work" ?
>>    
>>   drivers/net/ethernet/qlogic/qed/qed_mcp.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>> index b45efc272fdb..127943b39f61 100644
>> --- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>> +++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>> @@ -3387,7 +3387,7 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn)
>>   	}
>>   out:
>>   	/* Update hwfn's nvm_info */
>> -	if (nvm_info.num_images) {
>> +	if (nvm_info.num_images && rc != -EOPNOTSUPP) {
>>   		p_hwfn->nvm_info.num_images = nvm_info.num_images;
>>   		kfree(p_hwfn->nvm_info.image_att);
>>   		p_hwfn->nvm_info.image_att = nvm_info.image_att;
> 

Hi Simon,

> Are you sure that nvm_info.num_images can be non-zero if rc == -EOPNOTSUPP?
>

In the coverity report, the static analyzer is able to take the true 
branch on nvm_info.num_images. I didn't physically reproduce this 
logical state as I don't possess the matching hardware.

> The cited commit state:
> 
>      Commit 43645ce03e00 ("qed: Populate nvm image attribute shadow.")
>      added support for populating flash image attributes, notably
>      "num_images". However, some cards were not able to return this
>      information. In such cases, the driver would return EINVAL, causing the
>      driver to exit.
> 
>      Add check to return EOPNOTSUPP instead of EINVAL when the card is not
>      able to return these information. The caller function already handles
>      EOPNOTSUPP without error.
> 
> So I would expect that nvm_info.num_images is 0.
> 
> If not, perhaps an alternate fix is to make that so, either by setting
> it in qed_mcp_bist_nvm_get_num_images, or where the return value of
> qed_mcp_bist_nvm_get_num_images is checked (just before the goto out).
>

Makes sense, so something like this I suppose:

--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
@@ -3301,8 +3301,10 @@ int qed_mcp_bist_nvm_get_num_images(struct 
qed_hwfn *p_hwfn,
   	if (rc)
   		return rc;

-	if (((rsp & FW_MSG_CODE_MASK) == FW_MSG_CODE_UNSUPPORTED))
+	if (((rsp & FW_MSG_CODE_MASK) == FW_MSG_CODE_UNSUPPORTED)) {
+		*num_images = 0;
   		rc = -EOPNOTSUPP;
+	}

Or the second option you stated.

> And, in any case I think some testing is in order.

I strongly agree. Let me know if I can help more with this.

Thanks for your time,
--Gian

Simon Horman Dec. 13, 2024, 1:31 p.m. UTC | #3

On Fri, Dec 13, 2024 at 01:13:12PM +0100, Gianfranco Trad wrote:
> On 12/12/24 18:04, Simon Horman wrote:
> > On Wed, Dec 11, 2024 at 02:40:42PM +0100, Gianfranco Trad wrote:
> > > Coverity reports an uninit pointer read in qed_mcp_nvm_info_populate().
> > > If qed_mcp_bist_nvm_get_num_images() returns -EOPNOTSUPP, this leads to
> > > jump to label out with nvm_info.image_att being uninit while assigning it
> > > to p_hwfn->nvm_info.image_att.
> > > Add check on rc against -EOPNOTSUPP to avoid such uninit pointer read.
> > > 
> > > Closes: https://scan5.scan.coverity.com/#/project-view/63204/10063?selectedIssue=1636666
> > > Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
> > > ---
> > > Note:
> > > - Fixes: tag should be "7a0ea70da56e net/qed: allow old cards not supporting "num_images" to work" ?
> > >   drivers/net/ethernet/qlogic/qed/qed_mcp.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> > > index b45efc272fdb..127943b39f61 100644
> > > --- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> > > +++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> > > @@ -3387,7 +3387,7 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn)
> > >   	}
> > >   out:
> > >   	/* Update hwfn's nvm_info */
> > > -	if (nvm_info.num_images) {
> > > +	if (nvm_info.num_images && rc != -EOPNOTSUPP) {
> > >   		p_hwfn->nvm_info.num_images = nvm_info.num_images;
> > >   		kfree(p_hwfn->nvm_info.image_att);
> > >   		p_hwfn->nvm_info.image_att = nvm_info.image_att;
> > 
> 
> Hi Simon,
> 
> > Are you sure that nvm_info.num_images can be non-zero if rc == -EOPNOTSUPP?
> > 
> 
> In the coverity report, the static analyzer is able to take the true branch
> on nvm_info.num_images. I didn't physically reproduce this logical state as
> I don't possess the matching hardware.
> 
> > The cited commit state:
> > 
> >      Commit 43645ce03e00 ("qed: Populate nvm image attribute shadow.")
> >      added support for populating flash image attributes, notably
> >      "num_images". However, some cards were not able to return this
> >      information. In such cases, the driver would return EINVAL, causing the
> >      driver to exit.
> > 
> >      Add check to return EOPNOTSUPP instead of EINVAL when the card is not
> >      able to return these information. The caller function already handles
> >      EOPNOTSUPP without error.
> > 
> > So I would expect that nvm_info.num_images is 0.
> > 
> > If not, perhaps an alternate fix is to make that so, either by setting
> > it in qed_mcp_bist_nvm_get_num_images, or where the return value of
> > qed_mcp_bist_nvm_get_num_images is checked (just before the goto out).
> > 
> 
> Makes sense, so something like this I suppose:
> 
> --- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> +++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
> @@ -3301,8 +3301,10 @@ int qed_mcp_bist_nvm_get_num_images(struct qed_hwfn
> *p_hwfn,
>   	if (rc)
>   		return rc;
> 
> -	if (((rsp & FW_MSG_CODE_MASK) == FW_MSG_CODE_UNSUPPORTED))
> +	if (((rsp & FW_MSG_CODE_MASK) == FW_MSG_CODE_UNSUPPORTED)) {
> +		*num_images = 0;
>   		rc = -EOPNOTSUPP;
> +	}
> 
> Or the second option you stated.

Yes, that is what I was thinking.
But as it is a side effect, and thus hidden slightly,
on reflection perhaps the second option is better. IDK.

> > And, in any case I think some testing is in order.
> 
> I strongly agree. Let me know if I can help more with this.
> 
> Thanks for your time,
> --Gian
>

Gianfranco Trad Dec. 15, 2024, 1:11 a.m. UTC | #4

On 13/12/24 14:31, Simon Horman wrote:
> On Fri, Dec 13, 2024 at 01:13:12PM +0100, Gianfranco Trad wrote:
>> On 12/12/24 18:04, Simon Horman wrote:
>>> On Wed, Dec 11, 2024 at 02:40:42PM +0100, Gianfranco Trad wrote:
>>>> Coverity reports an uninit pointer read in qed_mcp_nvm_info_populate().
>>>> If qed_mcp_bist_nvm_get_num_images() returns -EOPNOTSUPP, this leads to
>>>> jump to label out with nvm_info.image_att being uninit while assigning it
>>>> to p_hwfn->nvm_info.image_att.
>>>> Add check on rc against -EOPNOTSUPP to avoid such uninit pointer read.
>>>>
>>>> Closes: https://scan5.scan.coverity.com/#/project-view/63204/10063?selectedIssue=1636666
>>>> Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
>>>> ---
>>>> Note:
>>>> - Fixes: tag should be "7a0ea70da56e net/qed: allow old cards not supporting "num_images" to work" ?
>>>>    drivers/net/ethernet/qlogic/qed/qed_mcp.c | 2 +-
>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>>>> index b45efc272fdb..127943b39f61 100644
>>>> --- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>>>> +++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>>>> @@ -3387,7 +3387,7 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn)
>>>>    	}
>>>>    out:
>>>>    	/* Update hwfn's nvm_info */
>>>> -	if (nvm_info.num_images) {
>>>> +	if (nvm_info.num_images && rc != -EOPNOTSUPP) {
>>>>    		p_hwfn->nvm_info.num_images = nvm_info.num_images;
>>>>    		kfree(p_hwfn->nvm_info.image_att);
>>>>    		p_hwfn->nvm_info.image_att = nvm_info.image_att;
>>>
>>
>> Hi Simon,
>>
>>> Are you sure that nvm_info.num_images can be non-zero if rc == -EOPNOTSUPP?
>>>
>>
>> In the coverity report, the static analyzer is able to take the true branch
>> on nvm_info.num_images. I didn't physically reproduce this logical state as
>> I don't possess the matching hardware.
>>
>>> The cited commit state:
>>>
>>>       Commit 43645ce03e00 ("qed: Populate nvm image attribute shadow.")
>>>       added support for populating flash image attributes, notably
>>>       "num_images". However, some cards were not able to return this
>>>       information. In such cases, the driver would return EINVAL, causing the
>>>       driver to exit.
>>>
>>>       Add check to return EOPNOTSUPP instead of EINVAL when the card is not
>>>       able to return these information. The caller function already handles
>>>       EOPNOTSUPP without error.
>>>
>>> So I would expect that nvm_info.num_images is 0.
>>>
>>> If not, perhaps an alternate fix is to make that so, either by setting
>>> it in qed_mcp_bist_nvm_get_num_images, or where the return value of
>>> qed_mcp_bist_nvm_get_num_images is checked (just before the goto out).
>>>
>>
>> Makes sense, so something like this I suppose:
>>
>> --- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>> +++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
>> @@ -3301,8 +3301,10 @@ int qed_mcp_bist_nvm_get_num_images(struct qed_hwfn
>> *p_hwfn,
>>    	if (rc)
>>    		return rc;
>>
>> -	if (((rsp & FW_MSG_CODE_MASK) == FW_MSG_CODE_UNSUPPORTED))
>> +	if (((rsp & FW_MSG_CODE_MASK) == FW_MSG_CODE_UNSUPPORTED)) {
>> +		*num_images = 0;
>>    		rc = -EOPNOTSUPP;
>> +	}
>>
>> Or the second option you stated.
> 
> Yes, that is what I was thinking.
> But as it is a side effect, and thus hidden slightly,
> on reflection perhaps the second option is better. IDK.
> 

Got it. Will send a v2 accordingly.

Thanks for your time,
--Gian

>>> And, in any case I think some testing is in order.
>>
>> I strongly agree. Let me know if I can help more with this.
>>
>> Thanks for your time,
>> --Gian
>>

qed: fix uninit pointer read in qed_mcp_nvm_info_populate()

Checks

Commit Message

Comments

Patch