Re: [v3,net-next,5/5] octeontx2-af: Add support for loading custom KPU profile from filesystem

Next message: Vincent Chen: "Re: [PATCH 02/11] rvtrace: Initial implementation of driver framework"
Previous message: Florian Westphal: "Re: [PATCH net-next v2] netfilter: conntrack: expose gc_scan_interval_max via sysctl"
In reply to: Ratheesh Kannoth: "Re: [v3,net-next,5/5] octeontx2-af: Add support for loading custom KPU profile from filesystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ratheesh Kannoth

Date: Thu Mar 12 2026 - 22:10:45 EST

On 2026-03-10 at 22:51:00, Simon Horman (horms@xxxxxxxxxx) wrote:
> Could this loop overflow and hang the kernel if firmware specifies more
> than 65535 entries?
>
> The loop variable 'entry' is declared as u16:
>
> u16 kpu, entry;
>
> while 'entries' is an int:
>
> entries = fw_kpu->entries;
>
> In the from_fs path, 'entries' is read directly from the firmware blob
> without capping it (unlike the !from_fs path which uses
> min(fw_kpu->entries, KPU_MAX_CST_ENT)).
>
> If a corrupt or malicious firmware file specifies fw_kpu->entries >
> 65535, the u16 variable wraps around at 65536:
>
> for (entry = 0; entry < entries; entry++)
>
> When entry reaches 65535, incrementing it produces 0, which is still
> less than entries, creating an infinite loop that hangs the kernel.
>
> Should the code either cap entries in the from_fs path or use an
> int-sized loop variable?
Hi Simon, I made some code changes and inadvertently missed addressing this comment in v4.
Sorry about that—I will address it in v5.

>
> > }
>
> [ ... ]