[Intel-wired-lan] [PATCH net] ice: fix out-of-bounds KASAN warining in virtchnl

Michal Swiatkowski michal.swiatkowski at linux.intel.com
Wed Dec 21 18:29:37 UTC 2022


On Wed, Dec 21, 2022 at 05:37:26PM +0100, Alexander Lobakin wrote:
> From: Michal Swiatkowski <michal.swiatkowski at linux.intel.com>
> Date: Wed, 21 Dec 2022 10:27:46 +0100
> 
> > KASAN reported:
> > [ 9793.708867] BUG: KASAN: global-out-of-bounds in ice_get_link_speed+0x16/0x30 [ice]
> > [ 9793.709205] Read of size 4 at addr ffffffffc1271b1c by task kworker/6:1/402
> > 
> > [ 9793.709222] CPU: 6 PID: 402 Comm: kworker/6:1 Kdump: loaded Tainted: G    B      OE      6.1.0+ #3
> > [ 9793.709235] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018
> > [ 9793.709245] Workqueue: ice ice_service_task [ice]
> 
> [...]
> 
> > diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
> > index 4b78bfb0d7f9..a24b5cb95039 100644
> > --- a/drivers/net/ethernet/intel/ice/ice_common.c
> > +++ b/drivers/net/ethernet/intel/ice/ice_common.c
> > @@ -5562,7 +5562,7 @@ bool ice_fw_supports_report_dflt_cfg(struct ice_hw *hw)
> >   * returned by the firmware is a 16 bit * value, but is indexed
> >   * by [fls(speed) - 1]
> >   */
> > -static const u32 ice_aq_to_link_speed[15] = {
> > +static const u32 ice_aq_to_link_speed[] = {
> >  	SPEED_10,	/* BIT(0) */
> >  	SPEED_100,
> >  	SPEED_1000,
> > @@ -5577,7 +5577,8 @@ static const u32 ice_aq_to_link_speed[15] = {
> >  	0,
> >  	0,
> >  	0,
> > -	0		/* BIT(14) */
> > +	0,
> > +	0		/* BIT(15) */
> >  };
> 
> I warned Jesse that no index check might cause out-of-bounds walks
> and here they are. I suggested the following back then:
> 
> 1) Don't define any zeroed elements and elements with
>    %VIRTCHNL_LINK_SPEED_UNKNOWN. Don't define explicit array bounds.
> 
> 2) In ice_get_link_speed():
> 
> 	if (index >= ARRAY_SIZE(ice_aq_to_link_speed))
> 		return 0;
> 
> 	return ice_aq_to_link_speed[index];
> 
> 3) Same in ice_conv_link_speed_to_virtchnl():
> 
> 	u32 index = fls(link_speed) - 1;
> 
> 	if (adv_link_support)
> 		return ice_get_link_speed(index);
> 	else if (index < ARRAY_SIZE(ice_legacy_aq_to_vc_speed))
> 		return ice_legacy_aq_to_vc_speed[index];
> 	else
> 		return VIRTCHNL_LINK_SPEED_UNKNOWN;
> 
> This could go as a fix to net with no problems.
> 

Sounds reasonable, I will do it in next version, thanks.
> >  
> >  /**
> > diff --git a/drivers/net/ethernet/intel/ice/ice_vf_mbx.c b/drivers/net/ethernet/intel/ice/ice_vf_mbx.c
> > index d4a4001b6e5d..5f754d41f345 100644
> > --- a/drivers/net/ethernet/intel/ice/ice_vf_mbx.c
> > +++ b/drivers/net/ethernet/intel/ice/ice_vf_mbx.c
> 
> [...]
> 
> > -- 
> > 2.36.1
> 
> Thanks,
> Olek


More information about the Intel-wired-lan mailing list