From: Jakub Kicinski <kuba@kernel.org>
To: Junrui Luo <moonafterrain@outlook.com>
Cc: Ioana Ciornei <ioana.ciornei@nxp.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuhao Jiang <danisjiang@gmail.com>
Subject: Re: [PATCH net] dpaa2-switch: validate num_ifs to prevent out-of-bounds write
Date: Thu, 19 Feb 2026 14:14:07 -0800 [thread overview]
Message-ID: <20260219141407.7fd697c0@kernel.org> (raw)
In-Reply-To: <SYBPR01MB788110DFE66BA1A5CE7E594FAF6DA@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Tue, 17 Feb 2026 22:42:40 +0800 Junrui Luo wrote:
> The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
> but never validates it against DPSW_MAX_IF (64). This value controls
> iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
> into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
> num_ifs >= 64, the loop can write past the array bounds.
>
> Add a bound check for num_ifs in dpaa2_switch_init().
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
Please remove the self-referential reported-by tags. FWIW:
https://github.com/google/security-research/pull/334
> Fixes: f054e3e217e4 ("dpaa2-switch: refactor the egress flooding domain setup")
This commit looks like refactoring.
Please dig a bit deeper to find the real commit in which the bug was
added.
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
> index 66240c340492..78e21b46a5ba 100644
> --- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
> +++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
> @@ -3034,6 +3034,13 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev)
> goto err_close;
> }
>
> + if (ethsw->sw_attr.num_ifs >= DPSW_MAX_IF) {
Unclear to me from a quick look at the code and the commit message why
we reject num_ifs == DPSW_MAX_IF. I see there are some references to a
control interface in egress flooding, is that why?
Please explain clearly.
--
pw-bot: cr
next prev parent reply other threads:[~2026-02-19 22:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 14:42 [PATCH net] dpaa2-switch: validate num_ifs to prevent out-of-bounds write Junrui Luo
2026-02-19 22:14 ` Jakub Kicinski [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-02-23 8:20 Junrui Luo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260219141407.7fd697c0@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=danisjiang@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ioana.ciornei@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=moonafterrain@outlook.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox