Re: [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write

Next message: John Garry: "[PATCH 13/24] scsi-multipath: set disk device_groups"
Previous message: John Garry: "[PATCH 13/13] libmultipath: Add mpath_bdev_get_unique_id()"
In reply to: Junrui Luo: "[PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ioana Ciornei

Date: Wed Feb 25 2026 - 10:43:15 EST

On Tue, Feb 24, 2026 at 07:05:56PM +0800, Junrui Luo wrote:
> The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
> but never validates it against DPSW_MAX_IF (64). This value controls
> iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
> into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
> num_ifs >= 64, the loop can write past the array bounds.
>
> Add a bound check for num_ifs in dpaa2_switch_init().
>
> dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
> num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
> ports match the flood filter, the loop fills all 64 slots and the control
> interface write overflows by one entry.
>
> The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
> broken.
>
> build_if_id_bitmap() silently drops any ID >= 64:
> if (id[i] < DPSW_MAX_IF)
> bmap[id[i] / 64] |= ...
>
> Fixes: 539dda3c5d19 ("staging: dpaa2-switch: properly setup switching domains")
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>

Reviewed-by: Ioana Ciornei <ioana.ciornei@xxxxxxx>

Thanks!