From patchwork Thu May 19 01:09:50 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>
X-Patchwork-Id: 12854444
X-Patchwork-Delegate: kuba@kernel.org
Return-Path: <netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BC810C433EF
	for <netdev@archiver.kernel.org>; Thu, 19 May 2022 01:17:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232263AbiESBRa (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Wed, 18 May 2022 21:17:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49000 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232269AbiESBR3 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 18 May 2022 21:17:29 -0400
X-Greylist: delayed 434 seconds by postgrey-1.37 at lindbergh.monkeyblade.net;
 Wed, 18 May 2022 18:17:27 PDT
Received: from mail.vladutescu-zopp.com (mail.vladutescu-zopp.com
 [178.13.10.128])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3336D66AC7;
        Wed, 18 May 2022 18:17:27 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)
 with ESMTPSA id 8C2BB39DA8;
        Thu, 19 May 2022 03:09:50 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vladutescu-zopp.com;
        s=dkim; t=1652922609;
        h=from:subject:date:message-id:to:cc:mime-version:content-type:
         content-language; bh=/f4eYqJAhIzo57t3oiUNGKCzzzDhYBOiY8WsyELBOvs=;
        b=eYW2CW6em8cvvDlfozjEIPIflpnZp7lDqEAmGxxRnj8fW/sovCuZlam9ehq11uzmTddp02
        WzhgbxQTr1OIBNadpf8d0cPU70mXwrflk2LuuPql3Hz3QIBedzTBjdjzmrREl5RudRcuUw
        g1LJ/GgE7R48D7/o1pcAP2tGrS0y1tH+E44JazFdsRaF9X5qgBkvN+MVyKKw0mnLQJVO+F
        sA0E/PcAgk2H5e5haRXveRD7IyaI28pcRh2X7N7upsp5c25o9rNqrZNKu8WT6AIapOvKQf
        B81/yVRpEwEz40zDk4ZeqVvjw6ubIwdC2ypeP4xIZY/3ZIdaJj3TLw/DzdgXIQ==
Message-ID: <f9fab445-e4f4-88c1-c9a3-0129af1ccf27@vladutescu-zopp.com>
Date: Thu, 19 May 2022 03:09:50 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.0
From: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>
Subject: [PATCH] net: atlantic: Avoid out-of-bounds indexing
To: irusskikh@marvell.com, davem@davemloft.net, edumazet@google.com,
        kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>,
        blairuk@gmail.com, kai.heng.feng@canonical.com
Content-Language: en-US
X-Last-TLS-Session-Version: TLSv1.3
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

A UBSAN warning is observed on atlantic driver:

[ 16.257086] UBSAN: array-index-out-of-bounds in 
drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1268:48
[ 16.257090] index 8 is out of range for type 'aq_vec_s *[8]'

The index is assigned right before breaking out the loop, so there's no
actual deferencing happening.
So only use the index inside the loop to fix the issue.

Same issue was observed and corrected in two other places.

BugLink: https://bugs.launchpad.net/bugs/1958770
Suggested-by: bsdz <blairuk@gmail.com>
Suggested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Tested-by: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>
Signed-off-by: Nikolaus Vladutescu-Zopp <nikolaus@vladutescu-zopp.com>
---
   drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 17 ++++++++++-------
   1 file changed, 10 insertions(+), 7 deletions(-)

   		  AQ_CFG_POLLING_TIMER_INTERVAL);
@@ -928,9 +929,10 @@ u64 *aq_nic_get_stats(struct aq_nic_s *self, u64 *data)
   	data += i;

   	for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) {
-		for (i = 0U, aq_vec = self->aq_vec[0];
-		     aq_vec && self->aq_vecs > i;
-		     ++i, aq_vec = self->aq_vec[i]) {
+		for (i = 0U; self->aq_vecs > i; ++i) {
+			aq_vec = self->aq_vec[i];
+			if (!aq_vec)
+				break;
   			data += count;
   			count = aq_vec_get_sw_stats(aq_vec, tc, data);
   		}
@@ -1264,9 +1266,10 @@ int aq_nic_stop(struct aq_nic_s *self)

   	aq_ptp_irq_free(self);

-	for (i = 0U, aq_vec = self->aq_vec[0];
-		self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+	for (i = 0U; self->aq_vecs > i; ++i) {
+		aq_vec = self->aq_vec[i];
   		aq_vec_stop(aq_vec);
+	}

   	aq_ptp_ring_stop(self);

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index 24d715c28a35..f49645d243ba 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -268,9 +268,10 @@ static void aq_nic_polling_timer_cb(struct
timer_list *t)
   	struct aq_vec_s *aq_vec = NULL;
   	unsigned int i = 0U;

-	for (i = 0U, aq_vec = self->aq_vec[0];
-		self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+	for (i = 0U; self->aq_vecs > i; ++i) {
+		aq_vec = self->aq_vec[i];
   		aq_vec_isr(i, (void *)aq_vec);
+	}

   	mod_timer(&self->polling_timer, jiffies +