1. Patchew
  2. linux
  3. View series

[PATCH RESEND] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()

Chengen Du posted 1 patch 1 year, 1 month ago
There is a newer version of this series
drivers/firmware/iscsi_ibft.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH RESEND] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
Posted by Chengen Du 1 year, 1 month ago 
When performing an iSCSI boot using IPv6, iscsistart still reads the
/sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix
length is 64, this causes the shift exponent to become negative,
triggering a UBSAN warning. As the concept of a subnet mask does not
apply to IPv6, the value is set to ~0 to suppress the warning message.

Signed-off-by: Chengen Du <chengen.du@canonical.com>
---
 drivers/firmware/iscsi_ibft.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c
index 6e9788324fea..e2c0749f6afa 100644
--- a/drivers/firmware/iscsi_ibft.c
+++ b/drivers/firmware/iscsi_ibft.c
@@ -310,7 +310,10 @@ static ssize_t ibft_attr_show_nic(void *data, int type, char *buf)
 		str += sprintf_ipaddr(str, nic->ip_addr);
 		break;
 	case ISCSI_BOOT_ETH_SUBNET_MASK:
-		val = cpu_to_be32(~((1 << (32-nic->subnet_mask_prefix))-1));
+		if (nic->subnet_mask_prefix > 32)
+			val = ~0;
+		else
+			val = cpu_to_be32(~((1 << (32-nic->subnet_mask_prefix))-1));
 		str += sprintf(str, "%pI4", &val);
 		break;
 	case ISCSI_BOOT_ETH_PREFIX_LEN:
-- 
2.43.0
Re: [PATCH RESEND] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
Posted by kernel test robot 1 year, 1 month ago 
Hi Chengen,

kernel test robot noticed the following build warnings:

[auto build test WARNING on linus/master]
[also build test WARNING on v6.13-rc6 next-20250107]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Chengen-Du/iscsi_ibft-Fix-UBSAN-shift-out-of-bounds-warning-in-ibft_attr_show_nic/20250106-123816
base:   linus/master
patch link:    https://lore.kernel.org/r/20250106043415.1966355-1-chengen.du%40canonical.com
patch subject: [PATCH RESEND] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
config: i386-randconfig-061-20250108 (https://download.01.org/0day-ci/archive/20250108/202501081604.SgFiMXxU-lkp@intel.com/config)
compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250108/202501081604.SgFiMXxU-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202501081604.SgFiMXxU-lkp@intel.com/

sparse warnings: (new ones prefixed by >>)
>> drivers/firmware/iscsi_ibft.c:314:29: sparse: sparse: incorrect type in assignment (different base types) @@     expected restricted __be32 [usertype] val @@     got int @@
   drivers/firmware/iscsi_ibft.c:314:29: sparse:     expected restricted __be32 [usertype] val
   drivers/firmware/iscsi_ibft.c:314:29: sparse:     got int

vim +314 drivers/firmware/iscsi_ibft.c

   290	
   291	static ssize_t ibft_attr_show_nic(void *data, int type, char *buf)
   292	{
   293		struct ibft_kobject *entry = data;
   294		struct ibft_nic *nic = entry->nic;
   295		void *ibft_loc = entry->header;
   296		char *str = buf;
   297		__be32 val;
   298	
   299		if (!nic)
   300			return 0;
   301	
   302		switch (type) {
   303		case ISCSI_BOOT_ETH_INDEX:
   304			str += sprintf(str, "%d\n", nic->hdr.index);
   305			break;
   306		case ISCSI_BOOT_ETH_FLAGS:
   307			str += sprintf(str, "%d\n", nic->hdr.flags);
   308			break;
   309		case ISCSI_BOOT_ETH_IP_ADDR:
   310			str += sprintf_ipaddr(str, nic->ip_addr);
   311			break;
   312		case ISCSI_BOOT_ETH_SUBNET_MASK:
   313			if (nic->subnet_mask_prefix > 32)
 > 314				val = ~0;
   315			else
   316				val = cpu_to_be32(~((1 << (32-nic->subnet_mask_prefix))-1));
   317			str += sprintf(str, "%pI4", &val);
   318			break;
   319		case ISCSI_BOOT_ETH_PREFIX_LEN:
   320			str += sprintf(str, "%d\n", nic->subnet_mask_prefix);
   321			break;
   322		case ISCSI_BOOT_ETH_ORIGIN:
   323			str += sprintf(str, "%d\n", nic->origin);
   324			break;
   325		case ISCSI_BOOT_ETH_GATEWAY:
   326			str += sprintf_ipaddr(str, nic->gateway);
   327			break;
   328		case ISCSI_BOOT_ETH_PRIMARY_DNS:
   329			str += sprintf_ipaddr(str, nic->primary_dns);
   330			break;
   331		case ISCSI_BOOT_ETH_SECONDARY_DNS:
   332			str += sprintf_ipaddr(str, nic->secondary_dns);
   333			break;
   334		case ISCSI_BOOT_ETH_DHCP:
   335			str += sprintf_ipaddr(str, nic->dhcp);
   336			break;
   337		case ISCSI_BOOT_ETH_VLAN:
   338			str += sprintf(str, "%d\n", nic->vlan);
   339			break;
   340		case ISCSI_BOOT_ETH_MAC:
   341			str += sprintf(str, "%pM\n", nic->mac);
   342			break;
   343		case ISCSI_BOOT_ETH_HOSTNAME:
   344			str += sprintf_string(str, nic->hostname_len,
   345					      (char *)ibft_loc + nic->hostname_off);
   346			break;
   347		default:
   348			break;
   349		}
   350	
   351		return str - buf;
   352	};
   353	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.