From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Dec 2024 14:18:24 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.325~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19dc1eed9a14833b3a390845291aff0d1b3d2120;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	octeontx2-pf-fix-out-of-bounds-read-in-otx2_get_fecparam.patch
---

diff --git a/queue-5.10/octeontx2-pf-fix-out-of-bounds-read-in-otx2_get_fecparam.patch b/queue-5.10/octeontx2-pf-fix-out-of-bounds-read-in-otx2_get_fecparam.patch
new file mode 100644
index 00000000000..165ad60a841
--- /dev/null
+++ b/queue-5.10/octeontx2-pf-fix-out-of-bounds-read-in-otx2_get_fecparam.patch
@@ -0,0 +1,50 @@
+From 93efb0c656837f4a31d7cc6117a7c8cecc8fadac Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Fri, 12 Feb 2021 06:23:10 -0600
+Subject: octeontx2-pf: Fix out-of-bounds read in otx2_get_fecparam()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit 93efb0c656837f4a31d7cc6117a7c8cecc8fadac upstream.
+
+Code at line 967 implies that rsp->fwdata.supported_fec may be up to 4:
+
+ 967: if (rsp->fwdata.supported_fec <= FEC_MAX_INDEX)
+
+If rsp->fwdata.supported_fec evaluates to 4, then there is an
+out-of-bounds read at line 971 because fec is an array with
+a maximum of 4 elements:
+
+ 954         const int fec[] = {
+ 955                 ETHTOOL_FEC_OFF,
+ 956                 ETHTOOL_FEC_BASER,
+ 957                 ETHTOOL_FEC_RS,
+ 958                 ETHTOOL_FEC_BASER | ETHTOOL_FEC_RS};
+ 959 #define FEC_MAX_INDEX 4
+
+ 971: fecparam->fec = fec[rsp->fwdata.supported_fec];
+
+Fix this by properly indexing fec[] with rsp->fwdata.supported_fec - 1.
+In this case the proper indexes 0 to 3 are used when
+rsp->fwdata.supported_fec evaluates to a range of 1 to 4, correspondingly.
+
+Fixes: d0cf9503e908 ("octeontx2-pf: ethtool fec mode support")
+Addresses-Coverity-ID: 1501722 ("Out-of-bounds read")
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -805,7 +805,7 @@ static int otx2_get_fecparam(struct net_
+ 		if (!rsp->fwdata.supported_fec)
+ 			fecparam->fec = ETHTOOL_FEC_NONE;
+ 		else
+-			fecparam->fec = fec[rsp->fwdata.supported_fec];
++			fecparam->fec = fec[rsp->fwdata.supported_fec - 1];
+ 	}
+ 	return 0;
+ }
diff --git a/queue-5.10/series b/queue-5.10/series
index 8ee44755c0c..614f0b18747 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -301,3 +301,4 @@ sunrpc-replace-internal-use-of-sockwq_async_nospace.patch
 sunrpc-clear-xprt_sock_upd_timeout-when-reset-transp.patch
 sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch
 asoc-fsl_micfil-fix-the-naming-style-for-mask-definition.patch
+octeontx2-pf-fix-out-of-bounds-read-in-otx2_get_fecparam.patch