* question regarding nvc0_instmem_suspend()
@ 2010-08-13 21:39 Dan Carpenter
2010-08-13 21:59 ` Luca Tettamanti
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2010-08-13 21:39 UTC (permalink / raw)
To: bskeggs; +Cc: dri-devel
Smatch thinks there is a buffer overflow in nvc0_instmem_suspend() and
I've looked at it, but I don't understand the code.
drivers/gpu/drm/nouveau/nvc0_instmem.c +152 nvc0_instmem_suspend(10)
error: buffer overflow 'dev_priv->susres.ramin_copy' 16384 <= 1835008
141 int
142 nvc0_instmem_suspend(struct drm_device *dev)
143 {
144 struct drm_nouveau_private *dev_priv = dev->dev_private;
145 int i;
146
147 dev_priv->susres.ramin_copy = vmalloc(65536);
dev_priv->susres.ramin_copy is an array of 16384 u32 elements
(65536 bytes).
148 if (!dev_priv->susres.ramin_copy)
149 return -ENOMEM;
150
151 for (i = 0x700000; i < 0x710000; i += 4)
152 dev_priv->susres.ramin_copy[i/4] = nv_rd32(dev, i);
0x700000 / 4 is 1835008 so we're way past the end of the array
and then we get larger.
153 return 0;
154 }
Normally when I'm this confused it's because I'm missing something
obvious. :P Can you help me out?
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: question regarding nvc0_instmem_suspend()
2010-08-13 21:39 question regarding nvc0_instmem_suspend() Dan Carpenter
@ 2010-08-13 21:59 ` Luca Tettamanti
2010-08-15 22:24 ` Ben Skeggs
0 siblings, 1 reply; 3+ messages in thread
From: Luca Tettamanti @ 2010-08-13 21:59 UTC (permalink / raw)
To: Dan Carpenter; +Cc: bskeggs, dri-devel
On Fri, Aug 13, 2010 at 11:39 PM, Dan Carpenter <error27@gmail.com> wrote:
> Smatch thinks there is a buffer overflow in nvc0_instmem_suspend() and
> I've looked at it, but I don't understand the code.
>
> drivers/gpu/drm/nouveau/nvc0_instmem.c +152 nvc0_instmem_suspend(10)
> error: buffer overflow 'dev_priv->susres.ramin_copy' 16384 <= 1835008
>
> 141 int
> 142 nvc0_instmem_suspend(struct drm_device *dev)
> 143 {
> 144 struct drm_nouveau_private *dev_priv = dev->dev_private;
> 145 int i;
> 146
> 147 dev_priv->susres.ramin_copy = vmalloc(65536);
>
> dev_priv->susres.ramin_copy is an array of 16384 u32 elements
> (65536 bytes).
>
> 148 if (!dev_priv->susres.ramin_copy)
> 149 return -ENOMEM;
> 150
> 151 for (i = 0x700000; i < 0x710000; i += 4)
> 152 dev_priv->susres.ramin_copy[i/4] = nv_rd32(dev, i);
>
> 0x700000 / 4 is 1835008 so we're way past the end of the array
> and then we get larger.
I guess that it should be something like:
base = 0x700000;
for (i = 0; i < 0x10000; i += 4)
dev_priv->susres.ramin_copy[i/4] = nv_rd32(dev, base + i);
Luca
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: question regarding nvc0_instmem_suspend()
2010-08-13 21:59 ` Luca Tettamanti
@ 2010-08-15 22:24 ` Ben Skeggs
0 siblings, 0 replies; 3+ messages in thread
From: Ben Skeggs @ 2010-08-15 22:24 UTC (permalink / raw)
To: Luca Tettamanti; +Cc: Dan Carpenter, dri-devel
On Fri, 2010-08-13 at 23:59 +0200, Luca Tettamanti wrote:
> On Fri, Aug 13, 2010 at 11:39 PM, Dan Carpenter <error27@gmail.com> wrote:
> > Smatch thinks there is a buffer overflow in nvc0_instmem_suspend() and
> > I've looked at it, but I don't understand the code.
> >
> > drivers/gpu/drm/nouveau/nvc0_instmem.c +152 nvc0_instmem_suspend(10)
> > error: buffer overflow 'dev_priv->susres.ramin_copy' 16384 <= 1835008
> >
> > 141 int
> > 142 nvc0_instmem_suspend(struct drm_device *dev)
> > 143 {
> > 144 struct drm_nouveau_private *dev_priv = dev->dev_private;
> > 145 int i;
> > 146
> > 147 dev_priv->susres.ramin_copy = vmalloc(65536);
> >
> > dev_priv->susres.ramin_copy is an array of 16384 u32 elements
> > (65536 bytes).
> >
> > 148 if (!dev_priv->susres.ramin_copy)
> > 149 return -ENOMEM;
> > 150
> > 151 for (i = 0x700000; i < 0x710000; i += 4)
> > 152 dev_priv->susres.ramin_copy[i/4] = nv_rd32(dev, i);
> >
> > 0x700000 / 4 is 1835008 so we're way past the end of the array
> > and then we get larger.
>
> I guess that it should be something like:
>
> base = 0x700000;
> for (i = 0; i < 0x10000; i += 4)
> dev_priv->susres.ramin_copy[i/4] = nv_rd32(dev, base + i);
Oops, what a thinko. I've pushed a fix to nouveau git, I'll send it on
for inclusion in 2.6.36.
Ben.
>
>
> Luca
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-08-15 22:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-13 21:39 question regarding nvc0_instmem_suspend() Dan Carpenter
2010-08-13 21:59 ` Luca Tettamanti
2010-08-15 22:24 ` Ben Skeggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.