The if statement:
if (port >= DSAF_GE_NUM)
return;
limits the value of port less than DSAF_GE_NUM (i.e., 8).
However, if the value of port is 6 or 7, an array overflow could occur:
port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).
To fix this possible array overflow, we first check port and if it is
greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
Reported-by: TOTE Robot <[email protected]>
Signed-off-by: Teng Qi <[email protected]>
---
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
index 23d9cbf262c3..740850b64aff 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
@@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
return;
if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
+ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
+ We need check to prevent array overflow */
+ if (port >= DSAF_MAX_PORT_NUM)
+ return;
reg_val_1 = 0x1 << port;
port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
/* there is difference between V1 and V2 in register.*/
--
2.25.1
Hello:
This patch was applied to netdev/net.git (master)
by David S. Miller <[email protected]>:
On Wed, 17 Nov 2021 11:44:53 +0800 you wrote:
> The if statement:
> if (port >= DSAF_GE_NUM)
> return;
>
> limits the value of port less than DSAF_GE_NUM (i.e., 8).
> However, if the value of port is 6 or 7, an array overflow could occur:
> port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
>
> [...]
Here is the summary with links:
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
https://git.kernel.org/netdev/net/c/a66998e0fbf2
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Sorry for the late reply.
Seeing this functions:
static int hns_mac_get_max_port_num(struct dsaf_device *dsaf_dev)
{
if (HNS_DSAF_IS_DEBUG(dsaf_dev))
return 1;
else
return DSAF_MAX_PORT_NUM;
}
int hns_mac_init(struct dsaf_device *dsaf_dev)
{
bool found = false;
int ret;
u32 port_id;
int max_port_num = hns_mac_get_max_port_num(dsaf_dev);
struct hns_mac_cb *mac_cb;
struct fwnode_handle *child;
device_for_each_child_node(dsaf_dev->dev, child) {
ret = fwnode_property_read_u32(child, "reg", &port_id);
if (ret) {
dev_err(dsaf_dev->dev,
"get reg fail, ret=%d!\n", ret);
return ret;
}
if (port_id >= max_port_num) {
dev_err(dsaf_dev->dev,
"reg(%u) out of range!\n", port_id);
return -EINVAL;
}
The port_id had limit to DSAF_MAX_PORT_NUM, so this patch is
unnecessary, thanks!
On 2021/11/17 11:44, Teng Qi wrote:
> The if statement:
> if (port >= DSAF_GE_NUM)
> return;
>
> limits the value of port less than DSAF_GE_NUM (i.e., 8).
> However, if the value of port is 6 or 7, an array overflow could occur:
> port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
>
> because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).
>
> To fix this possible array overflow, we first check port and if it is
> greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
>
> Reported-by: TOTE Robot <[email protected]>
> Signed-off-by: Teng Qi <[email protected]>
> ---
> drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
> index 23d9cbf262c3..740850b64aff 100644
> --- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
> +++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
> @@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
> return;
>
> if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
> + /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
> + We need check to prevent array overflow */
> + if (port >= DSAF_MAX_PORT_NUM)
> + return;
> reg_val_1 = 0x1 << port;
> port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
> /* there is difference between V1 and V2 in register.*/
>