[PATCH][next] octeontx2-pf: Fix out-of-bounds read in otx2_get_fecparam()

Hariprasad Kelam Fri, 12 Feb 2021 06:52:16 -0800

Hi Gustavo ,

Please see inline,


> -----Original Message-----
> From: Gustavo A. R. Silva <gustavo...@kernel.org>
> Sent: Friday, February 12, 2021 5:53 PM
> To: Sunil Kovvuri Goutham <sgout...@marvell.com>; Geethasowjanya
> Akula <gak...@marvell.com>; Subbaraya Sundeep Bhatta
> <sbha...@marvell.com>; Hariprasad Kelam <hke...@marvell.com>; David
> S. Miller <da...@davemloft.net>; Jakub Kicinski <k...@kernel.org>; Jesse
> Brandeburg <jesse.brandeb...@intel.com>; Christina Jacob
> <cja...@marvell.com>
> Cc: netdev@vger.kernel.org; linux-ker...@vger.kernel.org; Gustavo A. R.
> Silva <gustavo...@kernel.org>; linux-harden...@vger.kernel.org
> Subject: [EXT] [PATCH][next] octeontx2-pf: Fix out-of-bounds read in
> otx2_get_fecparam()
> 
> External Email
> 
> ----------------------------------------------------------------------
> Code at line 967 implies that rsp->fwdata.supported_fec may be up to 4:
> 
>  967: if (rsp->fwdata.supported_fec <= FEC_MAX_INDEX)
>
Thanks for pointing this. I missed this case .
rsp->fwdata.supported_fec range  is 0 to 3.  Certainly 4 causes out-of-bounds.
But proper fix is 
-  if (rsp->fwdata.supported_fec <= FEC_MAX_INDEX)
+ : if (rsp->fwdata.supported_fec < FEC_MAX_INDEX)

Thanks,
Hariprasad k





> If rsp->fwdata.supported_fec evaluates to 4, then there is an out-of-bounds
> read at line 971 because fec is an array with a maximum of 4 elements:
> 
>  954         const int fec[] = {
>  955                 ETHTOOL_FEC_OFF,
>  956                 ETHTOOL_FEC_BASER,
>  957                 ETHTOOL_FEC_RS,
>  958                 ETHTOOL_FEC_BASER | ETHTOOL_FEC_RS};
>  959 #define FEC_MAX_INDEX 4
> 
>  971: fecparam->fec = fec[rsp->fwdata.supported_fec];
> 
> Fix this by properly indexing fec[] with rsp->fwdata.supported_fec - 1.
> In this case the proper indexes 0 to 3 are used when
> rsp->fwdata.supported_fec evaluates to a range of 1 to 4, correspondingly.
> 
> Fixes: d0cf9503e908 ("octeontx2-pf: ethtool fec mode support")
> Addresses-Coverity-ID: 1501722 ("Out-of-bounds read")
> Signed-off-by: Gustavo A. R. Silva <gustavo...@kernel.org>
> ---
>  drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> index 237e5d3321d4..f7e8ada32a26 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
> @@ -968,7 +968,7 @@ static int otx2_get_fecparam(struct net_device
> *netdev,
>               if (!rsp->fwdata.supported_fec)
>                       fecparam->fec = ETHTOOL_FEC_NONE;
>               else
> -                     fecparam->fec = fec[rsp->fwdata.supported_fec];
> +                     fecparam->fec = fec[rsp->fwdata.supported_fec - 1];
>       }
>       return 0;
>  }
> --
> 2.27.0

[PATCH][next] octeontx2-pf: Fix out-of-bounds read in otx2_get_fecparam()

Reply via email to