From: Dan Carpenter <dan.carpenter@oracle.com>
To: sricharan@codeaurora.org
Cc: linux-remoteproc@vger.kernel.org
Subject: [bug report] rpmsg: glink: Use the local intents when receiving data
Date: Mon, 1 Oct 2018 14:00:29 +0300 [thread overview]
Message-ID: <20181001110029.GA20364@mwanda> (raw)
Hello Sricharan R,
The patch 64f95f87920d: "rpmsg: glink: Use the local intents when
receiving data" from Aug 24, 2017, leads to the following static
checker warning:
drivers/rpmsg/qcom_glink_native.c:813 qcom_glink_rx_data()
warn: integer overflows 'chunk_size + left_size'
drivers/rpmsg/qcom_glink_native.c
781 if (avail < sizeof(hdr)) {
782 dev_dbg(glink->dev, "Not enough data in fifo\n");
783 return -EAGAIN;
784 }
785
786 qcom_glink_rx_peak(glink, &hdr, 0, sizeof(hdr));
787 chunk_size = le32_to_cpu(hdr.chunk_size);
788 left_size = le32_to_cpu(hdr.left_size);
^^^^^^^^^^^^^^^^^^^^^^^^^^
My private build of Smatch marks le32_to_cpu() as untrusted.
789
790 if (avail < sizeof(hdr) + chunk_size) {
^^^^^^^^^^^^^^^^^^^^^^^^
This could have an integer overflow.
791 dev_dbg(glink->dev, "Payload not yet in fifo\n");
792 return -EAGAIN;
793 }
794
795 rcid = le16_to_cpu(hdr.msg.param1);
796 spin_lock_irqsave(&glink->idr_lock, flags);
797 channel = idr_find(&glink->rcids, rcid);
798 spin_unlock_irqrestore(&glink->idr_lock, flags);
799 if (!channel) {
800 dev_dbg(glink->dev, "Data on non-existing channel\n");
801
802 /* Drop the message */
803 goto advance_rx;
804 }
805
806 if (glink->intentless) {
807 /* Might have an ongoing, fragmented, message to append */
808 if (!channel->buf) {
809 intent = kzalloc(sizeof(*intent), GFP_ATOMIC);
810 if (!intent)
811 return -ENOMEM;
812
813 intent->data = kmalloc(chunk_size + left_size,
^^^^^^^^^^^^^^^^^^^^^^
We haven't check "left_size" at all so Smatch is very suspicious of
this.
814 GFP_ATOMIC);
815 if (!intent->data) {
816 kfree(intent);
817 return -ENOMEM;
818 }
819
See also:
drivers/rpmsg/qcom_smd.c:1227 qcom_channel_scan_worker() warn: potential integer overflow from user 'smem_items[tbl].info_base_id + cid'
drivers/rpmsg/qcom_smd.c:1228 qcom_channel_scan_worker() warn: potential integer overflow from user 'smem_items[tbl].fifo_base_id + cid'
regards,
dan carpenter
reply other threads:[~2018-10-01 17:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181001110029.GA20364@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-remoteproc@vger.kernel.org \
--cc=sricharan@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.