diff mbox series

net: atlantic: Avoid out-of-bounds indexing

Message ID f9fab445-e4f4-88c1-c9a3-0129af1ccf27@vladutescu-zopp.com (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series net: atlantic: Avoid out-of-bounds indexing | expand

Checks

Context Check Description
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Nikolaus Vladutescu-Zopp May 19, 2022, 1:09 a.m. UTC 
A UBSAN warning is observed on atlantic driver:

[ 16.257086] UBSAN: array-index-out-of-bounds in 
drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1268:48
[ 16.257090] index 8 is out of range for type 'aq_vec_s *[8]'

The index is assigned right before breaking out the loop, so there's no
actual deferencing happening.
So only use the index inside the loop to fix the issue.

Same issue was observed and corrected in two other places.

BugLink: https://bugs.launchpad.net/bugs/1958770
Suggested-by: bsdz <blairuk@gmail.com>
Suggested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Tested-by: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>
Signed-off-by: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>

---
   drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 17 ++++++++++-------
   1 file changed, 10 insertions(+), 7 deletions(-)

   		  AQ_CFG_POLLING_TIMER_INTERVAL);
@@ -928,9 +929,10 @@ u64 *aq_nic_get_stats(struct aq_nic_s *self, u64 *data)
   	data += i;

   	for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) {
-		for (i = 0U, aq_vec = self->aq_vec[0];
-		     aq_vec && self->aq_vecs > i;
-		     ++i, aq_vec = self->aq_vec[i]) {
+		for (i = 0U; self->aq_vecs > i; ++i) {
+			aq_vec = self->aq_vec[i];
+			if (!aq_vec)
+				break;
   			data += count;
   			count = aq_vec_get_sw_stats(aq_vec, tc, data);
   		}
@@ -1264,9 +1266,10 @@ int aq_nic_stop(struct aq_nic_s *self)

   	aq_ptp_irq_free(self);

-	for (i = 0U, aq_vec = self->aq_vec[0];
-		self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+	for (i = 0U; self->aq_vecs > i; ++i) {
+		aq_vec = self->aq_vec[i];
   		aq_vec_stop(aq_vec);
+	}

   	aq_ptp_ring_stop(self);

Comments

Jakub Kicinski May 20, 2022, 12:51 a.m. UTC | #1 
On Thu, 19 May 2022 03:09:50 +0200 Nikolaus Vladutescu-Zopp wrote:
> A UBSAN warning is observed on atlantic driver:
> 
> [ 16.257086] UBSAN: array-index-out-of-bounds in 
> drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1268:48
> [ 16.257090] index 8 is out of range for type 'aq_vec_s *[8]'
> 
> The index is assigned right before breaking out the loop, so there's no
> actual deferencing happening.
> So only use the index inside the loop to fix the issue.
> 
> Same issue was observed and corrected in two other places.
> 
> BugLink: https://bugs.launchpad.net/bugs/1958770
> Suggested-by: bsdz <blairuk@gmail.com>
> Suggested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
> Tested-by: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>
> Signed-off-by: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>

The patch does not apply, please rebase on net/master:

https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/

and repost. Please use [PATCH net] as the subject prefix. Please add 
a Fixes tag, if possible. Please replace "bsdz" with the person's name
or remove that tag.
diff mbox series

Patch

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index 24d715c28a35..f49645d243ba 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -268,9 +268,10 @@  static void aq_nic_polling_timer_cb(struct
timer_list *t)
   	struct aq_vec_s *aq_vec = NULL;
   	unsigned int i = 0U;

-	for (i = 0U, aq_vec = self->aq_vec[0];
-		self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+	for (i = 0U; self->aq_vecs > i; ++i) {
+		aq_vec = self->aq_vec[i];
   		aq_vec_isr(i, (void *)aq_vec);
+	}

   	mod_timer(&self->polling_timer, jiffies +