[Intel-wired-lan] [PATCH net] ice: validate FDIR action queue index against VF VSI queue count

Wed, 27 May 2026 00:18:56 -0700 

ice_vc_fdir_parse_action() stores the VF-supplied
action->act_conf.queue.index directly into input->q_index for both
VIRTCHNL_ACTION_QUEUE and VIRTCHNL_ACTION_Q_REGION without checking
whether the index is within the bounds of the VF's VSI.  The validated
value is later programmed into the FDIR descriptor's queue index field,
which means a malicious VF can direct matched traffic to a queue index
it does not own, potentially reaching queues belonging to another VF or
the PF.

Add a bounds check against vsi->num_rxq for both action types, matching
the pattern already used elsewhere in the driver.  Also obtain the VF
VSI pointer locally so the check has access to num_rxq; add the
expected NULL guard for robustness.

Fixes: 0ce332fd62f6 ("ice: Add FDIR pattern action parser for VF")
Fixes: 346bf2504397 ("ice: Add new actions support for VF FDIR")
Cc: [email protected]
Signed-off-by: Aleksandr Loktionov <[email protected]>
---
 drivers/net/ethernet/intel/ice/virt/fdir.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/drivers/net/ethernet/intel/ice/virt/fdir.c 
b/drivers/net/ethernet/intel/ice/virt/fdir.c
index 4f1f344..1bc524f 100644
--- a/drivers/net/ethernet/intel/ice/virt/fdir.c
+++ b/drivers/net/ethernet/intel/ice/virt/fdir.c
@@ -1152,6 +1152,7 @@ ice_vc_fdir_parse_action(struct ice_vf *vf, struct 
virtchnl_fdir_add *fltr,
        struct virtchnl_filter_action_set *as = &fltr->rule_cfg.action_set;
        struct device *dev = ice_pf_to_dev(vf->pf);
        struct ice_fdir_fltr *input = &conf->input;
+       struct ice_vsi *vsi;
        u32 dest_num = 0;
        u32 mark_num = 0;
        int i;
@@ -1162,6 +1163,10 @@ ice_vc_fdir_parse_action(struct ice_vf *vf, struct 
virtchnl_fdir_add *fltr,
                return -EINVAL;
        }
 
+       vsi = ice_get_vf_vsi(vf);
+       if (!vsi)
+               return -EINVAL;
+
        for (i = 0; i < as->count; i++) {
                struct virtchnl_filter_action *action = &as->actions[i];
 
@@ -1176,11 +1181,21 @@ ice_vc_fdir_parse_action(struct ice_vf *vf, struct 
virtchnl_fdir_add *fltr,
                        break;
                case VIRTCHNL_ACTION_QUEUE:
                        dest_num++;
+                       if (action->act_conf.queue.index >= vsi->num_rxq) {
+                               dev_dbg(dev, "Invalid queue index %u for VF 
%d\n",
+                                       action->act_conf.queue.index, 
vf->vf_id);
+                               return -EINVAL;
+                       }
                        input->dest_ctl = 
ICE_FLTR_PRGM_DESC_DEST_DIRECT_PKT_QINDEX;
                        input->q_index = action->act_conf.queue.index;
                        break;
                case VIRTCHNL_ACTION_Q_REGION:
                        dest_num++;
+                       if (action->act_conf.queue.index >= vsi->num_rxq) {
+                               dev_dbg(dev, "Invalid queue index %u for VF 
%d\n",
+                                       action->act_conf.queue.index, 
vf->vf_id);
+                               return -EINVAL;
+                       }
                        input->dest_ctl = 
ICE_FLTR_PRGM_DESC_DEST_DIRECT_PKT_QGROUP;
                        input->q_index = action->act_conf.queue.index;
                        input->q_region = action->act_conf.queue.region;
-- 
2.52.0

Reply via email to