| Message ID | 20231228193903.9078-2-wahrenst@gmx.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [V2,1/2] ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init | expand |
On Fri, Dec 29, 2023 at 3:39 AM Stefan Wahren <wahrenst@gmx.net> wrote: > > of_property_match_string returns an int; either an index from 0 or > greater if successful or negative on failure. Even it's very > unlikely that the DT CPU node contains multiple enable-methods > these checks should be fixed. > > This patch was inspired by the work of Nick Desaulniers. > > Link: https://lore.kernel.org/lkml/20230516-sunxi-v1-1-ac4b9651a8c1@google.com/T/ > Cc: Nick Desaulniers <ndesaulniers@google.com> > Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Reviewed-by: Chen-Yu Tsai <wens@csie.org> Arnd, would it be possible to apply the two fixes directly to the soc tree? Thanks. > --- > arch/arm/mach-sunxi/mc_smp.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c > index 6ec3445f3c72..277f6aa8e6c2 100644 > --- a/arch/arm/mach-sunxi/mc_smp.c > +++ b/arch/arm/mach-sunxi/mc_smp.c > @@ -803,12 +803,12 @@ static int __init sunxi_mc_smp_init(void) > for (i = 0; i < ARRAY_SIZE(sunxi_mc_smp_data); i++) { > ret = of_property_match_string(node, "enable-method", > sunxi_mc_smp_data[i].enable_method); > - if (!ret) > + if (ret >= 0) > break; > } > > of_node_put(node); > - if (ret) > + if (ret < 0) > return -ENODEV; > > is_a83t = sunxi_mc_smp_data[i].is_a83t; > -- > 2.34.1 >
On Tue, Jan 2, 2024, at 15:59, Chen-Yu Tsai wrote: > On Fri, Dec 29, 2023 at 3:39 AM Stefan Wahren <wahrenst@gmx.net> wrote: >> >> of_property_match_string returns an int; either an index from 0 or >> greater if successful or negative on failure. Even it's very >> unlikely that the DT CPU node contains multiple enable-methods >> these checks should be fixed. >> >> This patch was inspired by the work of Nick Desaulniers. >> >> Link: https://lore.kernel.org/lkml/20230516-sunxi-v1-1-ac4b9651a8c1@google.com/T/ >> Cc: Nick Desaulniers <ndesaulniers@google.com> >> Signed-off-by: Stefan Wahren <wahrenst@gmx.net> > > Reviewed-by: Chen-Yu Tsai <wens@csie.org> > > Arnd, would it be possible to apply the two fixes directly to the soc tree? Yes, I've merged them into the arm/fixes branch now. These are currently the only fixes I have queued up but I should be able to send them before the v6.7 release. Arnd
diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c index 6ec3445f3c72..277f6aa8e6c2 100644 --- a/arch/arm/mach-sunxi/mc_smp.c +++ b/arch/arm/mach-sunxi/mc_smp.c @@ -803,12 +803,12 @@ static int __init sunxi_mc_smp_init(void) for (i = 0; i < ARRAY_SIZE(sunxi_mc_smp_data); i++) { ret = of_property_match_string(node, "enable-method", sunxi_mc_smp_data[i].enable_method); - if (!ret) + if (ret >= 0) break; } of_node_put(node); - if (ret) + if (ret < 0) return -ENODEV; is_a83t = sunxi_mc_smp_data[i].is_a83t;
of_property_match_string returns an int; either an index from 0 or greater if successful or negative on failure. Even it's very unlikely that the DT CPU node contains multiple enable-methods these checks should be fixed. This patch was inspired by the work of Nick Desaulniers. Link: https://lore.kernel.org/lkml/20230516-sunxi-v1-1-ac4b9651a8c1@google.com/T/ Cc: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Stefan Wahren <wahrenst@gmx.net> --- arch/arm/mach-sunxi/mc_smp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.34.1