diff mbox series

[v2] net/txgbe: fix out of bound access

Message ID	20231117101204.2389690-1-ferruh.yigit@amd.com (mailing list archive)
State	Accepted, archived
Delegated to:	Ferruh Yigit
Headers	Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C From: Ferruh Yigit <ferruh.yigit@amd.com> To: Jiawen Wu <jiawenwu@trustnetic.com>, Jian Wang <jianwang@trustnetic.com>, Ferruh Yigit <ferruh.yigit@intel.com> CC: <dev@dpdk.org>, <stable@dpdk.org>, Luca Boccassi <luca.boccassi@microsoft.com> Subject: [PATCH v2] net/txgbe: fix out of bound access Date: Fri, 17 Nov 2023 10:12:04 +0000 Message-ID: <20231117101204.2389690-1-ferruh.yigit@amd.com> In-Reply-To: <20231116140718.4026676-1-ferruh.yigit@amd.com> References: <20231116140718.4026676-1-ferruh.yigit@amd.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	[v2] net/txgbe: fix out of bound access \| [v2] net/txgbe: fix out of bound access

Checks

Context	Check	Description
ci/checkpatch	warning	coding style issues
ci/loongarch-compilation	success	Compilation OK
ci/loongarch-unit-testing	success	Unit Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/github-robot: build	success	github build: passed
ci/intel-Testing	success	Testing PASS
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-compile-amd64-testing	success	Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-sample-apps-testing	success	Testing PASS
ci/iol-unit-amd64-testing	success	Testing PASS
ci/iol-unit-arm64-testing	success	Testing PASS
ci/iol-compile-arm64-testing	success	Testing PASS
ci/intel-Functional	success	Functional PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-broadcom-Functional	success	Functional Testing PASS

Commit Message

Ferruh Yigit Nov. 17, 2023, 10:12 a.m. UTC

  Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:

 In function 'txgbe_host_interface_command',
     inlined from 'txgbe_host_interface_command'
             at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
     inlined from 'txgbe_hic_reset'
             at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
 ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
    error: array subscript 2 is outside array bounds ofr
           'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
   145 |                     buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
 ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
 ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
    note: at offset 8 into object 'reset_cmd' of size 8
   331 |         struct txgbe_hic_reset reset_cmd;
       |                                ^~~~~~~~~

Access to buffer done based on command code, the case complained by
FW_RESET_CMD has short buffer but this code path only taken with command
0x30, so this shouldn't be a problem.

Command 0x30 no more used, removing this exception check that cause
build error.

[1]
https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log

[2]
gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912

Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
Cc: stable@dpdk.org

Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Ferruh Yigit <ferruh.yigit@amd.com>
---
Cc: jiawenwu@trustnetic.com
Cc: jianwang@trustnetic.com

v2:
* Removed exception check for command 0x30
---
 drivers/net/txgbe/base/txgbe_mng.c | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

Comments

Jiawen Wu Nov. 20, 2023, 1:51 a.m. UTC | #1

On Friday, November 17, 2023 6:12 PM, Ferruh.Yigit@amd.com wrote:
> Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:
> 
>  In function 'txgbe_host_interface_command',
>      inlined from 'txgbe_host_interface_command'
>              at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
>      inlined from 'txgbe_hic_reset'
>              at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
>  ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
>     error: array subscript 2 is outside array bounds ofr
>            'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
>    145 |                     buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>  ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
>  ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
>     note: at offset 8 into object 'reset_cmd' of size 8
>    331 |         struct txgbe_hic_reset reset_cmd;
>        |                                ^~~~~~~~~
> 
> Access to buffer done based on command code, the case complained by
> FW_RESET_CMD has short buffer but this code path only taken with command
> 0x30, so this shouldn't be a problem.
> 
> Command 0x30 no more used, removing this exception check that cause
> build error.
> 
> [1]
> https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log
> 
> [2]
> gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912
> 
> Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
> Cc: stable@dpdk.org
> 
> Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
> Signed-off-by: Ferruh Yigit <ferruh.yigit@amd.com>
> ---
> Cc: jiawenwu@trustnetic.com
> Cc: jianwang@trustnetic.com
> 
> v2:
> * Removed exception check for command 0x30
> ---
>  drivers/net/txgbe/base/txgbe_mng.c | 16 +---------------
>  1 file changed, 1 insertion(+), 15 deletions(-)
> 
> diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
> index df7145094f84..029a0a1fe143 100644
> --- a/drivers/net/txgbe/base/txgbe_mng.c
> +++ b/drivers/net/txgbe/base/txgbe_mng.c
> @@ -141,21 +141,7 @@ txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
>  	for (bi = 0; bi < dword_len; bi++)
>  		buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
> 
> -	/*
> -	 * If there is any thing in data position pull it in
> -	 * Read Flash command requires reading buffer length from
> -	 * two byes instead of one byte
> -	 */
> -	if (resp->cmd == 0x30) {
> -		for (; bi < dword_len + 2; bi++)
> -			buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
> -
> -		buf_len = (((u16)(resp->cmd_or_resp.ret_status) << 3)
> -				  & 0xF00) | resp->buf_len;
> -		hdr_size += (2 << 2);
> -	} else {
> -		buf_len = resp->buf_len;
> -	}
> +	buf_len = resp->buf_len;
>  	if (!buf_len)
>  		goto rel_out;
> 
> --
> 2.34.1

Thanks Ferruh,

Reviewed-by: Jiawen Wu <jiawenwu@trustnetic.com>

Ferruh Yigit Nov. 20, 2023, 9:53 a.m. UTC | #2

On 11/20/2023 1:51 AM, Jiawen Wu wrote:
> On Friday, November 17, 2023 6:12 PM, Ferruh.Yigit@amd.com wrote:
>> Reported by SuSe CI [1] by GCC [2], possibly false positive. Error:
>>
>>  In function 'txgbe_host_interface_command',
>>      inlined from 'txgbe_host_interface_command'
>>              at ../drivers/net/txgbe/base/txgbe_mng.c:104:1,
>>      inlined from 'txgbe_hic_reset'
>>              at ../drivers/net/txgbe/base/txgbe_mng.c:345:9:
>>  ../drivers/net/txgbe/base/txgbe_mng.c:145:36:
>>     error: array subscript 2 is outside array bounds ofr
>>            'struct txgbe_hic_reset[1]' [-Werror=array-bounds=]
>>    145 |                     buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
>>  ../drivers/net/txgbe/base/txgbe_mng.c: In function 'txgbe_hic_reset':
>>  ../drivers/net/txgbe/base/txgbe_mng.c:331:32:
>>     note: at offset 8 into object 'reset_cmd' of size 8
>>    331 |         struct txgbe_hic_reset reset_cmd;
>>        |                                ^~~~~~~~~
>>
>> Access to buffer done based on command code, the case complained by
>> FW_RESET_CMD has short buffer but this code path only taken with command
>> 0x30, so this shouldn't be a problem.
>>
>> Command 0x30 no more used, removing this exception check that cause
>> build error.
>>
>> [1]
>> https://build.opensuse.org/public/build/home:bluca:dpdk/openSUSE_Factory_ARM/armv7l/dpdk-20.11/_log
>>
>> [2]
>> gcc 13.2.1 "cc (SUSE Linux) 13.2.1 20230912
>>
>> Fixes: 35c90ecccfd4 ("net/txgbe: add EEPROM functions")
>> Cc: stable@dpdk.org
>>
>> Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
>> Signed-off-by: Ferruh Yigit <ferruh.yigit@amd.com>>
> Reviewed-by: Jiawen Wu <jiawenwu@trustnetic.com>
> 

Applied to dpdk-next-net/main, thanks.

diff mbox series

Patch

diff --git a/drivers/net/txgbe/base/txgbe_mng.c b/drivers/net/txgbe/base/txgbe_mng.c
index df7145094f84..029a0a1fe143 100644
--- a/drivers/net/txgbe/base/txgbe_mng.c
+++ b/drivers/net/txgbe/base/txgbe_mng.c
@@ -141,21 +141,7 @@  txgbe_host_interface_command(struct txgbe_hw *hw, u32 *buffer,
 	for (bi = 0; bi < dword_len; bi++)
 		buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
 
-	/*
-	 * If there is any thing in data position pull it in
-	 * Read Flash command requires reading buffer length from
-	 * two byes instead of one byte
-	 */
-	if (resp->cmd == 0x30) {
-		for (; bi < dword_len + 2; bi++)
-			buffer[bi] = rd32a(hw, TXGBE_MNGMBX, bi);
-
-		buf_len = (((u16)(resp->cmd_or_resp.ret_status) << 3)
-				  & 0xF00) | resp->buf_len;
-		hdr_size += (2 << 2);
-	} else {
-		buf_len = resp->buf_len;
-	}
+	buf_len = resp->buf_len;
 	if (!buf_len)
 		goto rel_out;