[Intel-wired-lan] [PATCH iwl-net v2] ice: avoid infinite loop if NVM has invalid TLV length

Jacob Keller jacob.e.keller at intel.com
Fri May 17 23:10:43 UTC 2024



On 5/17/2024 4:08 PM, Jacob Keller wrote:
> The ice_get_pfa_module_tlv() function iterates over the TLVs in the
> Preserved Fields Area (PFA) of the NVM. This is used to access data such as
> the Part Board Assembly identifier.
> 
> Some NVMs in the wild have been found with incorrect TLV lengths including
> at least one which reports a TLV length of 0xFFFF. When trying to read the
> PBA from such an NVM, the driver will compute a new offset for the next_tlv
> which is lower, due to overflowing the 16-bit next_tlv variable.
> 
> In the best case, the driver will incorrectly interpret values until it
> finds one which has an offset greater than the PFA area without
> overflowing. In the worst case, the values in the NVM result in an infinite
> loop as the misinterpreted lengths result in checking offsets which are
> valid within the PFA, and which ultimately point in an infinite loop.
> 
> Fix this by using check_add_overflow when calculating the NVM offsets, and
> bailing if we ever overflow. Additionally, use check_add_overflow when
> calculating the initial maximum PFA size.
> 
> This ensures that we bail immediately on encountering any TLV who's length
> would have caused the naive addition to overflow, rather than entering an
> infinite loop or otherwise misinterpreting NVM values.
> 
> Co-developed-by: Paul Greenwalt <paul.greenwalt at intel.com>
> Signed-off-by: Paul Greenwalt <paul.greenwalt at intel.com>
> Signed-off-by: Jacob Keller <jacob.e.keller at intel.com>

Fixes: e961b679fb0b ("ice: add board identifier info to devlink .info_get")

I'll ensure this gets added to the commit when queuing, as I forgot to
add it when re-writing this commit message.


More information about the Intel-wired-lan mailing list