Hello Junfeng Guo,
Commit 9a4c07aaa0f5 ("ice: add parser execution main loop") from Jul
25, 2024 (linux-next), leads to the following Smatch static checker
warning:
drivers/net/ethernet/intel/ice/ice_parser_rt.c:124 ice_bst_key_init() error:
buffer overflow 'key' 10 <= 19
drivers/net/ethernet/intel/ice/ice_parser_rt.c:126 ice_bst_key_init() error:
buffer overflow 'key' 10 <= 19
drivers/net/ethernet/intel/ice/ice_parser_rt.c:134 ice_bst_key_init() error:
buffer overflow 'key' 10 <= 18
drivers/net/ethernet/intel/ice/ice_parser_rt.c:136 ice_bst_key_init() error:
buffer overflow 'key' 10 <= 18
drivers/net/ethernet/intel/ice/ice_parser_rt.c
114 static void ice_bst_key_init(struct ice_parser_rt *rt,
115 struct ice_imem_item *imem)
116 {
117 u8 tsr = (u8)rt->gpr[ICE_GPR_TSR_IDX];
118 u16 ho = rt->gpr[ICE_GPR_HO_IDX];
119 u8 *key = rt->bst_key;
120 int idd, i;
121
122 idd = ICE_BST_TCAM_KEY_SIZE - 1;
The key array has ICE_BST_KEY_SIZE (10) elements, but this code is using
TCAM key size which is 20.
123 if (imem->b_kb.tsr_ctrl)
--> 124 key[idd] = tsr;
^^^^^^^^
It results in memory corruption
125 else
126 key[idd] = imem->b_kb.prio;
127
128 idd = ICE_BST_KEY_TCAM_SIZE - 1;
Same thing again. This size is 19 instead of 20 but still larger than 10.
129 for (i = idd; i >= 0; i--) {
130 int j;
131
132 j = ho + idd - i;
133 if (j < ICE_PARSER_MAX_PKT_LEN)
134 key[i] = rt->pkt_buf[ho + idd - i];
135 else
136 key[i] = 0;
^^^^^^^^^^^
Corrupt
137 }
138
139 ice_debug(rt->psr->hw, ICE_DBG_PARSER, "Generated Boost TCAM
Key:\n");
140 ice_debug(rt->psr->hw, ICE_DBG_PARSER, "%02X %02X %02X %02X
%02X %02X %02X %02X %02X %02X\n",
141 key[0], key[1], key[2], key[3], key[4],
142 key[5], key[6], key[7], key[8], key[9]);
143 ice_debug(rt->psr->hw, ICE_DBG_PARSER, "\n");
144 }
regards,
dan carpenter
