| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Aug 2023 17:39:01 +0200
From: Simon Horman <horms@...nel.org>
To: Junfeng Guo <junfeng.guo@...el.com>
Cc: intel-wired-lan@...ts.osuosl.org, netdev@...r.kernel.org,
anthony.l.nguyen@...el.com, jesse.brandeburg@...el.com,
qi.z.zhang@...el.com, ivecera@...hat.com,
sridhar.samudrala@...el.com, kuba@...nel.org, edumazet@...gle.com,
davem@...emloft.net, pabeni@...hat.com
Subject: Re: [PATCH iwl-next v8 12/15] ice: add parser execution main loop
On Thu, Aug 24, 2023 at 03:54:57PM +0800, Junfeng Guo wrote:
> Implement function ice_parser_rt_execute which perform the main
> loop of the parser.
>
> Also include the Parser Library files into ice Makefile.
>
> Signed-off-by: Junfeng Guo <junfeng.guo@...el.com>
...
> @@ -80,6 +107,632 @@ void ice_parser_rt_pktbuf_set(struct ice_parser_rt *rt, const u8 *pkt_buf,
> memcpy(&rt->gpr[ICE_GPR_HV_IDX], &rt->pkt_buf[ho], ICE_GPR_HV_SIZE);
> }
>
> +static void _ice_bst_key_init(struct ice_parser_rt *rt,
> + struct ice_imem_item *imem)
> +{
> + u8 tsr = (u8)rt->gpr[ICE_GPR_TSR_IDX];
> + u16 ho = rt->gpr[ICE_GPR_HO_IDX];
> + u8 *key = rt->bst_key;
> + int idd, i;
> +
> + idd = ICE_BST_TCAM_KEY_SIZE - 1;
> + if (imem->b_kb.tsr_ctrl)
> + key[idd] = (u8)tsr;
> + else
> + key[idd] = imem->b_kb.prio;
> +
> + idd = ICE_BST_KEY_TCAM_SIZE - 1;
> + for (i = idd; i >= 0; i--) {
> + int j;
> +
> + j = ho + idd - i;
> + if (j < ICE_PARSER_MAX_PKT_LEN)
> + key[i] = rt->pkt_buf[ho + idd - i];
> + else
> + key[i] = 0;
> + }
> +
> + ice_debug(rt->psr->hw, ICE_DBG_PARSER, "Generated Boost TCAM Key:\n");
> + ice_debug(rt->psr->hw, ICE_DBG_PARSER, "%02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X\n",
> + key[0], key[1], key[2], key[3], key[4],
> + key[5], key[6], key[7], key[8], key[9],
> + key[10], key[11], key[12], key[13], key[14],
> + key[15], key[16], key[17], key[18], key[19]);
Hi Junfeng Guo,
key points to rt->bst_key which has ICE_BST_KEY_SIZE (10) elements.
But here 20 elements are accessed. This seems to be an overrun.
Flagged by Smatch.
> + ice_debug(rt->psr->hw, ICE_DBG_PARSER, "\n");
> +}
> +
Powered by blists - more mailing lists