[Intel-wired-lan] [PATCH net] ice: fix out-of-bounds KASAN warining in virtchnl
Alexander Lobakin
alexandr.lobakin at intel.com
Wed Dec 21 16:37:26 UTC 2022
From: Michal Swiatkowski <michal.swiatkowski at linux.intel.com>
Date: Wed, 21 Dec 2022 10:27:46 +0100
> KASAN reported:
> [ 9793.708867] BUG: KASAN: global-out-of-bounds in ice_get_link_speed+0x16/0x30 [ice]
> [ 9793.709205] Read of size 4 at addr ffffffffc1271b1c by task kworker/6:1/402
>
> [ 9793.709222] CPU: 6 PID: 402 Comm: kworker/6:1 Kdump: loaded Tainted: G B OE 6.1.0+ #3
> [ 9793.709235] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018
> [ 9793.709245] Workqueue: ice ice_service_task [ice]
[...]
> diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
> index 4b78bfb0d7f9..a24b5cb95039 100644
> --- a/drivers/net/ethernet/intel/ice/ice_common.c
> +++ b/drivers/net/ethernet/intel/ice/ice_common.c
> @@ -5562,7 +5562,7 @@ bool ice_fw_supports_report_dflt_cfg(struct ice_hw *hw)
> * returned by the firmware is a 16 bit * value, but is indexed
> * by [fls(speed) - 1]
> */
> -static const u32 ice_aq_to_link_speed[15] = {
> +static const u32 ice_aq_to_link_speed[] = {
> SPEED_10, /* BIT(0) */
> SPEED_100,
> SPEED_1000,
> @@ -5577,7 +5577,8 @@ static const u32 ice_aq_to_link_speed[15] = {
> 0,
> 0,
> 0,
> - 0 /* BIT(14) */
> + 0,
> + 0 /* BIT(15) */
> };
I warned Jesse that no index check might cause out-of-bounds walks
and here they are. I suggested the following back then:
1) Don't define any zeroed elements and elements with
%VIRTCHNL_LINK_SPEED_UNKNOWN. Don't define explicit array bounds.
2) In ice_get_link_speed():
if (index >= ARRAY_SIZE(ice_aq_to_link_speed))
return 0;
return ice_aq_to_link_speed[index];
3) Same in ice_conv_link_speed_to_virtchnl():
u32 index = fls(link_speed) - 1;
if (adv_link_support)
return ice_get_link_speed(index);
else if (index < ARRAY_SIZE(ice_legacy_aq_to_vc_speed))
return ice_legacy_aq_to_vc_speed[index];
else
return VIRTCHNL_LINK_SPEED_UNKNOWN;
This could go as a fix to net with no problems.
>
> /**
> diff --git a/drivers/net/ethernet/intel/ice/ice_vf_mbx.c b/drivers/net/ethernet/intel/ice/ice_vf_mbx.c
> index d4a4001b6e5d..5f754d41f345 100644
> --- a/drivers/net/ethernet/intel/ice/ice_vf_mbx.c
> +++ b/drivers/net/ethernet/intel/ice/ice_vf_mbx.c
[...]
> --
> 2.36.1
Thanks,
Olek
More information about the Intel-wired-lan
mailing list