Patch "net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 20 Nov 2023 09:37:25 -0500

This is a note to let you know that I've just added the patch titled

    net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-hns3-fix-out-of-bounds-access-may-occur-when-coa.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1bb419eeae1184cf14114779dedca9de49091737
Author: Yonglong Liu <liuyonglong@xxxxxxxxxx>
Date:   Fri Nov 10 17:37:10 2023 +0800

    net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs
    
    [ Upstream commit 53aba458f23846112c0d44239580ff59bc5c36c3 ]
    
    The hns3 driver define an array of string to show the coalesce
    info, but if the kernel adds a new mode or a new state,
    out-of-bounds access may occur when coalesce info is read via
    debugfs, this patch fix the problem.
    
    Fixes: c99fead7cb07 ("net: hns3: add debugfs support for interrupt coalesce")
    Signed-off-by: Yonglong Liu <liuyonglong@xxxxxxxxxx>
    Signed-off-by: Jijie Shao <shaojijie@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
index b8508533878be..4f385a18d288e 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
@@ -500,11 +500,14 @@ static void hns3_get_coal_info(struct hns3_enet_tqp_vector *tqp_vector,
 	}
 
 	sprintf(result[j++], "%d", i);
-	sprintf(result[j++], "%s", dim_state_str[dim->state]);
+	sprintf(result[j++], "%s", dim->state < ARRAY_SIZE(dim_state_str) ?
+		dim_state_str[dim->state] : "unknown");
 	sprintf(result[j++], "%u", dim->profile_ix);
-	sprintf(result[j++], "%s", dim_cqe_mode_str[dim->mode]);
+	sprintf(result[j++], "%s", dim->mode < ARRAY_SIZE(dim_cqe_mode_str) ?
+		dim_cqe_mode_str[dim->mode] : "unknown");
 	sprintf(result[j++], "%s",
-		dim_tune_stat_str[dim->tune_state]);
+		dim->tune_state < ARRAY_SIZE(dim_tune_stat_str) ?
+		dim_tune_stat_str[dim->tune_state] : "unknown");
 	sprintf(result[j++], "%u", dim->steps_left);
 	sprintf(result[j++], "%u", dim->steps_right);
 	sprintf(result[j++], "%u", dim->tired);






