From: Vinod Koul <vinod.koul@intel.com>
To: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
Cc: Maxime Coquelin <mcoquelin.stm32@gmail.com>,
Alexandre Torgue <alexandre.torgue@st.com>,
Dan Williams <dan.j.williams@intel.com>,
M'boumba Cedric Madianga <cedric.madianga@gmail.com>,
dmaengine@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: [v1,1/1] dmaengine: stm32-dmamux: fix a potential buffer overflow
Date: Thu, 22 Mar 2018 10:51:50 +0530 [thread overview]
Message-ID: <20180322052150.GB15443@localhost> (raw)
On Tue, Mar 13, 2018 at 05:55:35PM +0100, Pierre-Yves MORDRET wrote:
> The bitfield dma_inuse is allocated of size dma_requests bits, thus a
> valid bit address is from 0 to (dma_requests - 1).
> When find_first_zero_bit() fails, it returns dma_requests as invalid
> address.
> Using such address for the following set_bit() is incorrect and, if
> dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer
> overflow.
> Currently this driver is only used in DT stm32h743.dtsi where a safe value
> dma_requests=16 is not triggering the buffer overflow.
>
> Fixed by checking the return value of find_first_zero_bit() _before_
> using it.
Applied, thanks
WARNING: multiple messages have this Message-ID (diff)
From: vinod.koul@intel.com (Vinod Koul)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v1 1/1] dmaengine: stm32-dmamux: fix a potential buffer overflow
Date: Thu, 22 Mar 2018 10:51:50 +0530 [thread overview]
Message-ID: <20180322052150.GB15443@localhost> (raw)
In-Reply-To: <1520960135-26575-1-git-send-email-pierre-yves.mordret@st.com>
On Tue, Mar 13, 2018 at 05:55:35PM +0100, Pierre-Yves MORDRET wrote:
> The bitfield dma_inuse is allocated of size dma_requests bits, thus a
> valid bit address is from 0 to (dma_requests - 1).
> When find_first_zero_bit() fails, it returns dma_requests as invalid
> address.
> Using such address for the following set_bit() is incorrect and, if
> dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer
> overflow.
> Currently this driver is only used in DT stm32h743.dtsi where a safe value
> dma_requests=16 is not triggering the buffer overflow.
>
> Fixed by checking the return value of find_first_zero_bit() _before_
> using it.
Applied, thanks
--
~Vinod
WARNING: multiple messages have this Message-ID (diff)
From: Vinod Koul <vinod.koul@intel.com>
To: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
Cc: Maxime Coquelin <mcoquelin.stm32@gmail.com>,
Alexandre Torgue <alexandre.torgue@st.com>,
Dan Williams <dan.j.williams@intel.com>,
"M'boumba Cedric Madianga" <cedric.madianga@gmail.com>,
dmaengine@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 1/1] dmaengine: stm32-dmamux: fix a potential buffer overflow
Date: Thu, 22 Mar 2018 10:51:50 +0530 [thread overview]
Message-ID: <20180322052150.GB15443@localhost> (raw)
In-Reply-To: <1520960135-26575-1-git-send-email-pierre-yves.mordret@st.com>
On Tue, Mar 13, 2018 at 05:55:35PM +0100, Pierre-Yves MORDRET wrote:
> The bitfield dma_inuse is allocated of size dma_requests bits, thus a
> valid bit address is from 0 to (dma_requests - 1).
> When find_first_zero_bit() fails, it returns dma_requests as invalid
> address.
> Using such address for the following set_bit() is incorrect and, if
> dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer
> overflow.
> Currently this driver is only used in DT stm32h743.dtsi where a safe value
> dma_requests=16 is not triggering the buffer overflow.
>
> Fixed by checking the return value of find_first_zero_bit() _before_
> using it.
Applied, thanks
--
~Vinod
next reply other threads:[~2018-03-22 5:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-22 5:21 Vinod Koul [this message]
2018-03-22 5:21 ` [PATCH v1 1/1] dmaengine: stm32-dmamux: fix a potential buffer overflow Vinod Koul
2018-03-22 5:21 ` Vinod Koul
-- strict thread matches above, loose matches on Subject: below --
2018-03-13 16:55 [v1,1/1] " Pierre Yves MORDRET
2018-03-13 16:55 ` [PATCH v1 1/1] " Pierre-Yves MORDRET
2018-03-13 16:55 ` Pierre-Yves MORDRET
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180322052150.GB15443@localhost \
--to=vinod.koul@intel.com \
--cc=alexandre.torgue@st.com \
--cc=cedric.madianga@gmail.com \
--cc=dan.j.williams@intel.com \
--cc=dmaengine@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcoquelin.stm32@gmail.com \
--cc=pierre-yves.mordret@st.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.