memory: brcmstb_dpfe: fix array index out of bounds

Message ID	20200821010333.20436-1-mmayer@broadcom.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=QQOt=B7=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 72993207DE From: Markus Mayer <markus.mayer@broadcom.com> To: Florian Fainelli <f.fainelli@gmail.com>, Colin Ian King <colin.king@canonical.com>, Krzysztof Kozlowski <krzk@kernel.org> Subject: [PATCH] memory: brcmstb_dpfe: fix array index out of bounds Date: Thu, 20 Aug 2020 18:03:33 -0700 Message-Id: <20200821010333.20436-1-mmayer@broadcom.com> summary: Content analysis details: (-2.5 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [192.19.229.170 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender Precedence: list Cc: BCM Kernel Feedback <bcm-kernel-feedback-list@broadcom.com>, Linux ARM Kernel <linux-arm-kernel@lists.infradead.org>, Markus Mayer <markus.mayer@broadcom.com>, Linux Kernel <linux-kernel@vger.kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
Series	memory: brcmstb_dpfe: fix array index out of bounds \| expand memory: brcmstb_dpfe: fix array index out of bounds

Message ID

20200821010333.20436-1-mmayer@broadcom.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 72993207DE
From: Markus Mayer <markus.mayer@broadcom.com>
To: Florian Fainelli <f.fainelli@gmail.com>,
 Colin Ian King <colin.king@canonical.com>,
 Krzysztof Kozlowski <krzk@kernel.org>
Subject: [PATCH] memory: brcmstb_dpfe: fix array index out of bounds
Date: Thu, 20 Aug 2020 18:03:33 -0700
Message-Id: <20200821010333.20436-1-mmayer@broadcom.com>
Precedence: list
Cc: BCM Kernel Feedback <bcm-kernel-feedback-list@broadcom.com>,
 Linux ARM Kernel <linux-arm-kernel@lists.infradead.org>,
 Markus Mayer <markus.mayer@broadcom.com>,
 Linux Kernel <linux-kernel@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org

Series

memory: brcmstb_dpfe: fix array index out of bounds | expand

Commit Message

Markus Mayer Aug. 21, 2020, 1:03 a.m. UTC

We would overrun the error_text array if we hit a TIMEOUT condition,
because we were using the error code "ETIMEDOUT" (which is 110) as an
array index.

We fix the problem by correcting the array index and by providing a
function to retrieve error messages rather than accessing the array
directly. The function includes a bounds check that prevents the array
from being overrun.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
---

This patch was prepared in response to https://lkml.org/lkml/2020/8/18/505.

 drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

Comments

Florian Fainelli Aug. 21, 2020, 3:15 a.m. UTC | #1

On 8/20/2020 6:03 PM, Markus Mayer wrote:
> We would overrun the error_text array if we hit a TIMEOUT condition,
> because we were using the error code "ETIMEDOUT" (which is 110) as an
> array index.
> 
> We fix the problem by correcting the array index and by providing a
> function to retrieve error messages rather than accessing the array
> directly. The function includes a bounds check that prevents the array
> from being overrun.
> 
> Signed-off-by: Markus Mayer <mmayer@broadcom.com>

Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE")
Reported-by: Colin Ian King <colin.king@canonical.com>

(Colin, was there a specific coverity ID you wanted to use?)

kernel test robot Aug. 21, 2020, 4:42 a.m. UTC | #2

Hi Markus,

I love your patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v5.9-rc1 next-20200820]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Markus-Mayer/memory-brcmstb_dpfe-fix-array-index-out-of-bounds/20200821-090533
base:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git da2968ff879b9e74688cdc658f646971991d2c56
config: arm-defconfig (attached as .config)
compiler: arm-linux-gnueabi-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=arm 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> drivers/memory/brcmstb_dpfe.c:305:8: warning: type qualifiers ignored on function return type [-Wignored-qualifiers]
     305 | static const char * const get_error_text(unsigned int i)
         |        ^~~~~

# https://github.com/0day-ci/linux/commit/a2de88715f98369b7e4478457a6455c3e2c72725
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Markus-Mayer/memory-brcmstb_dpfe-fix-array-index-out-of-bounds/20200821-090533
git checkout a2de88715f98369b7e4478457a6455c3e2c72725
vim +305 drivers/memory/brcmstb_dpfe.c

   304	
 > 305	static const char * const get_error_text(unsigned int i)
   306	{
   307		static const char * const error_text[] = {
   308			"Success", "Header code incorrect",
   309			"Unknown command or argument", "Incorrect checksum",
   310			"Malformed command", "Timed out", "Unknown error",
   311		};
   312	
   313		if (unlikely(i >= ARRAY_SIZE(error_text)))
   314			i = ARRAY_SIZE(error_text) - 1;
   315	
   316		return error_text[i];
   317	}
   318	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Krzysztof Kozlowski Aug. 21, 2020, 5:40 a.m. UTC | #3

On Thu, Aug 20, 2020 at 06:03:33PM -0700, Markus Mayer wrote:
> We would overrun the error_text array if we hit a TIMEOUT condition,
> because we were using the error code "ETIMEDOUT" (which is 110) as an
> array index.
> 
> We fix the problem by correcting the array index and by providing a
> function to retrieve error messages rather than accessing the array
> directly. The function includes a bounds check that prevents the array
> from being overrun.
> 
> Signed-off-by: Markus Mayer <mmayer@broadcom.com>
> ---
> 
> This patch was prepared in response to https://lkml.org/lkml/2020/8/18/505.
> 
>  drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++-------
>  1 file changed, 16 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c
> index 81abc4a98a27..a986a849f58e 100644
> --- a/drivers/memory/brcmstb_dpfe.c
> +++ b/drivers/memory/brcmstb_dpfe.c
> @@ -190,11 +190,6 @@ struct brcmstb_dpfe_priv {
>  	struct mutex lock;
>  };
>  
> -static const char * const error_text[] = {
> -	"Success", "Header code incorrect", "Unknown command or argument",
> -	"Incorrect checksum", "Malformed command", "Timed out",
> -};
> -
>  /*
>   * Forward declaration of our sysfs attribute functions, so we can declare the
>   * attribute data structures early.
> @@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = {
>  	},
>  };
>  
> +static const char * const get_error_text(unsigned int i)

The pointer itself is returned by value and you cannot return a const
value. I mean, you can but it does not have an effect. Only pointed
memory should be const (const const char*).

Best regards,
Krzysztof


> +{
> +	static const char * const error_text[] = {
> +		"Success", "Header code incorrect",
> +		"Unknown command or argument", "Incorrect checksum",
> +		"Malformed command", "Timed out", "Unknown error",
> +	};
> +
> +	if (unlikely(i >= ARRAY_SIZE(error_text)))
> +		i = ARRAY_SIZE(error_text) - 1;
> +
> +	return error_text[i];
> +}
> +
>  static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv)
>  {
>  	u32 val;
> @@ -446,7 +455,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd,
>  	}
>  	if (resp != 0) {
>  		mutex_unlock(&priv->lock);
> -		return -ETIMEDOUT;
> +		return -ffs(DCPU_RET_ERR_TIMEDOUT);
>  	}
>  
>  	/* Compute checksum over the message */
> @@ -695,7 +704,7 @@ static ssize_t generic_show(unsigned int command, u32 response[],
>  
>  	ret = __send_command(priv, command, response);
>  	if (ret < 0)
> -		return sprintf(buf, "ERROR: %s\n", error_text[-ret]);
> +		return sprintf(buf, "ERROR: %s\n", get_error_text(-ret));
>  
>  	return 0;
>  }
> -- 
> 2.17.1
>

Markus Mayer Aug. 21, 2020, 4:49 p.m. UTC | #4

On Thu, 20 Aug 2020 at 22:40, Krzysztof Kozlowski <krzk@kernel.org> wrote:
>
> On Thu, Aug 20, 2020 at 06:03:33PM -0700, Markus Mayer wrote:
> > We would overrun the error_text array if we hit a TIMEOUT condition,
> > because we were using the error code "ETIMEDOUT" (which is 110) as an
> > array index.
> >
> > We fix the problem by correcting the array index and by providing a
> > function to retrieve error messages rather than accessing the array
> > directly. The function includes a bounds check that prevents the array
> > from being overrun.
> >
> > Signed-off-by: Markus Mayer <mmayer@broadcom.com>
> > ---
> >
> > This patch was prepared in response to https://lkml.org/lkml/2020/8/18/505.
> >
> >  drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++-------
> >  1 file changed, 16 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c
> > index 81abc4a98a27..a986a849f58e 100644
> > --- a/drivers/memory/brcmstb_dpfe.c
> > +++ b/drivers/memory/brcmstb_dpfe.c
> > @@ -190,11 +190,6 @@ struct brcmstb_dpfe_priv {
> >       struct mutex lock;
> >  };
> >
> > -static const char * const error_text[] = {
> > -     "Success", "Header code incorrect", "Unknown command or argument",
> > -     "Incorrect checksum", "Malformed command", "Timed out",
> > -};
> > -
> >  /*
> >   * Forward declaration of our sysfs attribute functions, so we can declare the
> >   * attribute data structures early.
> > @@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = {
> >       },
> >  };
> >
> > +static const char * const get_error_text(unsigned int i)
>
> The pointer itself is returned by value and you cannot return a const
> value. I mean, you can but it does not have an effect. Only pointed
> memory should be const (const const char*).

v2 is on the way.

Regards,
-Markus

> > +{
> > +     static const char * const error_text[] = {
> > +             "Success", "Header code incorrect",
> > +             "Unknown command or argument", "Incorrect checksum",
> > +             "Malformed command", "Timed out", "Unknown error",
> > +     };
> > +
> > +     if (unlikely(i >= ARRAY_SIZE(error_text)))
> > +             i = ARRAY_SIZE(error_text) - 1;
> > +
> > +     return error_text[i];
> > +}
> > +
> >  static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv)
> >  {
> >       u32 val;
> > @@ -446,7 +455,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd,
> >       }
> >       if (resp != 0) {
> >               mutex_unlock(&priv->lock);
> > -             return -ETIMEDOUT;
> > +             return -ffs(DCPU_RET_ERR_TIMEDOUT);
> >       }
> >
> >       /* Compute checksum over the message */
> > @@ -695,7 +704,7 @@ static ssize_t generic_show(unsigned int command, u32 response[],
> >
> >       ret = __send_command(priv, command, response);
> >       if (ret < 0)
> > -             return sprintf(buf, "ERROR: %s\n", error_text[-ret]);
> > +             return sprintf(buf, "ERROR: %s\n", get_error_text(-ret));
> >
> >       return 0;
> >  }
> > --
> > 2.17.1
> >

diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c
index 81abc4a98a27..a986a849f58e 100644
--- a/drivers/memory/brcmstb_dpfe.c
+++ b/drivers/memory/brcmstb_dpfe.c
@@ -190,11 +190,6 @@  struct brcmstb_dpfe_priv {
 	struct mutex lock;
 };
 
-static const char * const error_text[] = {
-	"Success", "Header code incorrect", "Unknown command or argument",
-	"Incorrect checksum", "Malformed command", "Timed out",
-};
-
 /*
  * Forward declaration of our sysfs attribute functions, so we can declare the
  * attribute data structures early.
@@ -307,6 +302,20 @@  static const struct dpfe_api dpfe_api_v3 = {
 	},
 };
 
+static const char * const get_error_text(unsigned int i)
+{
+	static const char * const error_text[] = {
+		"Success", "Header code incorrect",
+		"Unknown command or argument", "Incorrect checksum",
+		"Malformed command", "Timed out", "Unknown error",
+	};
+
+	if (unlikely(i >= ARRAY_SIZE(error_text)))
+		i = ARRAY_SIZE(error_text) - 1;
+
+	return error_text[i];
+}
+
 static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv)
 {
 	u32 val;
@@ -446,7 +455,7 @@  static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd,
 	}
 	if (resp != 0) {
 		mutex_unlock(&priv->lock);
-		return -ETIMEDOUT;
+		return -ffs(DCPU_RET_ERR_TIMEDOUT);
 	}
 
 	/* Compute checksum over the message */
@@ -695,7 +704,7 @@  static ssize_t generic_show(unsigned int command, u32 response[],
 
 	ret = __send_command(priv, command, response);
 	if (ret < 0)
-		return sprintf(buf, "ERROR: %s\n", error_text[-ret]);
+		return sprintf(buf, "ERROR: %s\n", get_error_text(-ret));
 
 	return 0;
 }

memory: brcmstb_dpfe: fix array index out of bounds

Commit Message

Comments

Patch