Skip to content

Commit

Permalink
raw/ifpga/base: fix use of untrusted scalar value
Browse files Browse the repository at this point in the history 
[ upstream commit 8234347 ]

Add checking the buffer size and use
const char * for buffer declaration.

Coverity issue: 279449
Fixes: ef1e8ed ("raw/ifpga: add Intel FPGA bus rawdev driver")

Signed-off-by: Tianfei Zhang <tianfei.zhang@intel.com>
Acked-by: Rosen Xu <rosen.xu@intel.com>
  • Loading branch information
@Figo-zhang @kevintraynor
Figo-zhang authored and kevintraynor committed Aug 21, 2019
1 parent 68d2a7f commit 1b084f3
Show file tree
Hide file tree
Showing 7 changed files with 30 additions and 20 deletions.
4 changes: 2 additions & 2 deletions drivers/raw/ifpga_rawdev/base/ifpga_api.c
View file
Expand Up @@ -183,7 +183,7 @@ struct opae_bridge_ops ifpga_br_ops = {
};

/* Manager APIs */
static int ifpga_mgr_flash(struct opae_manager *mgr, int id, void *buf,
static int ifpga_mgr_flash(struct opae_manager *mgr, int id, const char *buf,
u32 size, u64 *status)
{
struct ifpga_fme_hw *fme = mgr->data;
Expand Down Expand Up @@ -230,7 +230,7 @@ struct opae_adapter_ops ifpga_adapter_ops = {
* - 0: Success, partial reconfiguration finished.
* - <0: Error code returned in partial reconfiguration.
**/
int ifpga_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
int ifpga_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
u64 *status)
{
if (!is_valid_port_id(hw, port_id))
Expand Down
2 changes: 1 addition & 1 deletion drivers/raw/ifpga_rawdev/base/ifpga_api.h
View file
Expand Up @@ -22,7 +22,7 @@ int ifpga_set_irq(struct ifpga_hw *hw, u32 fiu_id, u32 port_id,
u32 feature_id, void *irq_set);

/* FME APIs */
int ifpga_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
int ifpga_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
u64 *status);

#endif /* _IFPGA_API_H_ */
2 changes: 1 addition & 1 deletion drivers/raw/ifpga_rawdev/base/ifpga_feature_dev.h
View file
Expand Up @@ -121,7 +121,7 @@ static inline int fpga_port_reset(struct ifpga_port_hw *port)
return ret;
}

int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
int do_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer, u32 size,
u64 *status);

int fme_get_prop(struct ifpga_fme_hw *fme, struct feature_prop *prop);
Expand Down
27 changes: 16 additions & 11 deletions drivers/raw/ifpga_rawdev/base/ifpga_fme_pr.c
View file
Expand Up @@ -223,8 +223,8 @@ static int fpga_pr_buf_load(struct ifpga_fme_hw *fme_dev,
return 0;
}

static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
u64 *status)
static int fme_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer,
u32 size, u64 *status)
{
struct feature_fme_header *fme_hdr;
struct feature_fme_capability fme_capability;
Expand Down Expand Up @@ -269,7 +269,7 @@ static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
/* Disable Port before PR */
fpga_port_disable(port);

ret = fpga_pr_buf_load(fme, &info, (void *)buffer, size);
ret = fpga_pr_buf_load(fme, &info, buffer, size);

*status = info.pr_err;

Expand All @@ -280,27 +280,32 @@ static int fme_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size,
return ret;
}

int do_pr(struct ifpga_hw *hw, u32 port_id, void *buffer, u32 size, u64 *status)
int do_pr(struct ifpga_hw *hw, u32 port_id, const char *buffer,
u32 size, u64 *status)
{
struct bts_header *bts_hdr;
void *buf;
const struct bts_header *bts_hdr;
const char *buf;
struct ifpga_port_hw *port;
int ret;
u32 header_size;

if (!buffer || size == 0) {
dev_err(hw, "invalid parameter\n");
return -EINVAL;
}

bts_hdr = (struct bts_header *)buffer;
bts_hdr = (const struct bts_header *)buffer;

if (is_valid_bts(bts_hdr)) {
dev_info(hw, "this is a valid bitsteam..\n");
size -= (sizeof(struct bts_header) +
bts_hdr->metadata_len);
buf = (u8 *)buffer + sizeof(struct bts_header) +
bts_hdr->metadata_len;
header_size = sizeof(struct bts_header) +
bts_hdr->metadata_len;
if (size < header_size)
return -EINVAL;
size -= header_size;
buf = buffer + header_size;
} else {
dev_err(hw, "this is an invalid bitstream..\n");
return -EINVAL;
}

Expand Down
4 changes: 2 additions & 2 deletions drivers/raw/ifpga_rawdev/base/opae_hw_api.c
View file
Expand Up @@ -241,8 +241,8 @@ opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data)
*
* Return: 0 on success, otherwise error code.
*/
int opae_manager_flash(struct opae_manager *mgr, int id, void *buf, u32 size,
u64 *status)
int opae_manager_flash(struct opae_manager *mgr, int id, const char *buf,
u32 size, u64 *status)
{
if (!mgr)
return -EINVAL;
Expand Down
4 changes: 2 additions & 2 deletions drivers/raw/ifpga_rawdev/base/opae_hw_api.h
View file
Expand Up @@ -40,15 +40,15 @@ struct opae_manager {

/* FIXME: add more management ops, e.g power/thermal and etc */
struct opae_manager_ops {
int (*flash)(struct opae_manager *mgr, int id, void *buffer,
int (*flash)(struct opae_manager *mgr, int id, const char *buffer,
u32 size, u64 *status);
};

/* OPAE Manager APIs */
struct opae_manager *
opae_manager_alloc(const char *name, struct opae_manager_ops *ops, void *data);
#define opae_manager_free(mgr) opae_free(mgr)
int opae_manager_flash(struct opae_manager *mgr, int acc_id, void *buf,
int opae_manager_flash(struct opae_manager *mgr, int acc_id, const char *buf,
u32 size, u64 *status);

/* OPAE Bridge Data Structure */
Expand Down
7 changes: 6 additions & 1 deletion drivers/raw/ifpga_rawdev/ifpga_rawdev.c
View file
Expand Up @@ -177,7 +177,7 @@ ifpga_rawdev_reset(struct rte_rawdev *dev)
}

static int
fpga_pr(struct rte_rawdev *raw_dev, u32 port_id, u64 *buffer, u32 size,
fpga_pr(struct rte_rawdev *raw_dev, u32 port_id, const char *buffer, u32 size,
u64 *status)
{

Expand Down Expand Up @@ -248,6 +248,11 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
goto close_fd;
}
buffer_size = file_stat.st_size;
if (buffer_size <= 0) {
ret = -EINVAL;
goto close_fd;
}

IFPGA_RAWDEV_PMD_INFO("bitstream file size: %zu\n", buffer_size);
buffer = rte_malloc(NULL, buffer_size, 0);
if (!buffer) {
Expand Down

0 comments on commit 1b084f3

Please sign in to comment.