tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()

The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
over 'cqe->len_list[]' using only a zero-length terminator as
the stopping condition. If the terminator was missing or
malformed, the loop could run past the end of the fixed-size array.

Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
a potential out-of-bounds access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Pavel Zhigulin and committed by
Paolo Abeni 896f1a24 8e0a754b

+3 -2
+3 -2
drivers/net/ethernet/qlogic/qede/qede_fp.c
··· 4 4 * Copyright (c) 2019-2020 Marvell International Ltd. 5 5 */ 6 6 7 + #include <linux/array_size.h> 7 8 #include <linux/netdevice.h> 8 9 #include <linux/etherdevice.h> 9 10 #include <linux/skbuff.h> ··· 961 960 { 962 961 int i; 963 962 964 - for (i = 0; cqe->len_list[i]; i++) 963 + for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) 965 964 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, 966 965 le16_to_cpu(cqe->len_list[i])); 967 966 ··· 986 985 dma_unmap_page(rxq->dev, tpa_info->buffer.mapping, 987 986 PAGE_SIZE, rxq->data_direction); 988 987 989 - for (i = 0; cqe->len_list[i]; i++) 988 + for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) 990 989 qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, 991 990 le16_to_cpu(cqe->len_list[i])); 992 991 if (unlikely(i > 1))