[DPDK/ethdev Bug 1801] ixgbe VF: buffer overrun risk in ixgbevf_get_pf_link_state() — msgbuf sized 3 dwords but size passed as 6

[bugzilla@dpdk.org]

http://bugs.dpdk.org/show_bug.cgi?id=1801

            Bug ID: 1801
           Summary: ixgbe VF: buffer overrun risk in
                    ixgbevf_get_pf_link_state() — msgbuf sized 3 dwords
                    but size passed as 6
           Product: DPDK
           Version: 24.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: ethdev
          Assignee: dev@dpdk.org
          Reporter: fenghua.lyn@gmail.com
  Target Milestone: ---

Component: ixgbe VF mailbox (file: /drivers/net/intel/ixgbe/base/ixgbe_vf.c)

Function: ixgbevf_get_pf_link_state

Issue: The function allocates a 3-DWORD buffer msgbuf[3] but calls the mailbox
helper with a size of 6:

ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 6);

In this API, the size argument is the number of DWORDs (u32), not bytes.
Passing 6 causes the mailbox code to read/write beyond the 3-element buffer,
which is a buffer overrun.

Symptoms/Impact:

Potential stack/adjacent memory corruption.

Spurious link speed/state results.

Intermittent crashes or undefined behavior, especially under mailbox activity.

Root Cause:

Size/count mismatch: the mailbox APIs in this codebase consistently use “number
of u32 words” as the size unit (e.g., elsewhere we pass 2, 3, 5). This one call
site incorrectly passes 6 while the buffer is only 3 u32.

Fix:

Pass the correct DWORD count for the buffer, i.e., change 6 to 3.

Prefer a future-proof pattern using ARRAY_SIZE(msgbuf) to avoid similar
mistakes.

Corrected code snippet:

err = ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 3);
  // or
  err = ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, ARRAY_SIZE(msgbuf)); 
Risk Assessment:

Low risk; this change aligns with the mailbox interface semantics used
throughout the file.

Reduces risk of memory corruption and improves stability when retrieving PF
link state.

How to Reproduce:

Build with stack protection and run a VF that frequently queries PF link state.

Observe potential stack canary trips or sanitizer complaints around
ixgbevf_get_pf_link_state.

Alternatively, instrument ixgbevf_write_msg_read_ack to assert the size does
not exceed the buffer’s capacity.

Affected Versions:

Any version containing this exact implementation of ixgbevf_get_pf_link_state
where msgbuf is 3 u32 elements and the call passes size 6.

Additional Notes:

Other call sites in this file consistently use correct sizes (e.g., 2, 3, 5).
This appears to be a one-off typo.

Status: I reviewed the provided file content and pinpointed the size/count
mismatch in ixgbevf_get_pf_link_state. If you want, I can submit a minimal
patch changing 6 to 3 or to ARRAY_SIZE(msgbuf).

Proposed change in ixgbevf_get_pf_link_state:

Replace ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 6); with
ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, 3);

Impact:

Prevents out-of-bounds mailbox read/write on the VF stack buffer.

Aligns with mailbox usage elsewhere, improving correctness and stability.

-- 
You are receiving this mail because:
You are the assignee for the bug.