Re: [PATCH net] dpaa2-switch: validate num_ifs to prevent out-of-bounds write
From: Jakub Kicinski
Date: Thu Feb 19 2026 - 17:14:19 EST
On Tue, 17 Feb 2026 22:42:40 +0800 Junrui Luo wrote:
> The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
> but never validates it against DPSW_MAX_IF (64). This value controls
> iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
> into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
> num_ifs >= 64, the loop can write past the array bounds.
>
> Add a bound check for num_ifs in dpaa2_switch_init().
>
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Reported-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
Please remove the self-referential reported-by tags. FWIW:
https://github.com/google/security-research/pull/334
> Fixes: f054e3e217e4 ("dpaa2-switch: refactor the egress flooding domain setup")
This commit looks like refactoring.
Please dig a bit deeper to find the real commit in which the bug was
added.
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
> index 66240c340492..78e21b46a5ba 100644
> --- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
> +++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
> @@ -3034,6 +3034,13 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev)
> goto err_close;
> }
>
> + if (ethsw->sw_attr.num_ifs >= DPSW_MAX_IF) {
Unclear to me from a quick look at the code and the commit message why
we reject num_ifs == DPSW_MAX_IF. I see there are some references to a
control interface in egress flooding, is that why?
Please explain clearly.
--
pw-bot: cr