* [PATCH] phy: ocelot-serdes: fix out-of-bounds read
@ 2018-10-08 18:06 Gustavo A. R. Silva
2018-10-08 20:55 ` Quentin Schulz
0 siblings, 1 reply; 3+ messages in thread
From: Gustavo A. R. Silva @ 2018-10-08 18:06 UTC (permalink / raw)
To: Kishon Vijay Abraham I, Quentin Schulz, David S. Miller
Cc: linux-kernel, Gustavo A. R. Silva
Currently, there is an out-of-bounds read on array ctrl->phys,
once variable i reaches the maximum array size of SERDES_MAX
in the for loop.
Fix this by changing the condition in the for loop from
i <= SERDES_MAX to i < SERDES_MAX.
Addresses-Coverity-ID: 1473966 ("Out-of-bounds read")
Addresses-Coverity-ID: 1473959 ("Out-of-bounds read")
Fixes: 51f6b410fc22 ("phy: add driver for Microsemi Ocelot SerDes muxing")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
drivers/phy/mscc/phy-ocelot-serdes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/phy/mscc/phy-ocelot-serdes.c b/drivers/phy/mscc/phy-ocelot-serdes.c
index 8936abd..c4eee3a 100644
--- a/drivers/phy/mscc/phy-ocelot-serdes.c
+++ b/drivers/phy/mscc/phy-ocelot-serdes.c
@@ -206,7 +206,7 @@ static struct phy *serdes_simple_xlate(struct device *dev,
port = args->args[0];
idx = args->args[1];
- for (i = 0; i <= SERDES_MAX; i++) {
+ for (i = 0; i < SERDES_MAX; i++) {
struct serdes_macro *macro = phy_get_drvdata(ctrl->phys[i]);
if (idx != macro->idx)
@@ -260,7 +260,7 @@ static int serdes_probe(struct platform_device *pdev)
if (!ctrl->regs)
return -ENODEV;
- for (i = 0; i <= SERDES_MAX; i++) {
+ for (i = 0; i < SERDES_MAX; i++) {
ret = serdes_phy_create(ctrl, i, &ctrl->phys[i]);
if (ret)
return ret;
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] phy: ocelot-serdes: fix out-of-bounds read
2018-10-08 18:06 [PATCH] phy: ocelot-serdes: fix out-of-bounds read Gustavo A. R. Silva
@ 2018-10-08 20:55 ` Quentin Schulz
2018-10-08 21:02 ` Gustavo A. R. Silva
0 siblings, 1 reply; 3+ messages in thread
From: Quentin Schulz @ 2018-10-08 20:55 UTC (permalink / raw)
To: Gustavo A. R. Silva; +Cc: Kishon Vijay Abraham I, David S. Miller, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 2054 bytes --]
Hi Gustavo,
On Mon, Oct 08, 2018 at 08:06:49PM +0200, Gustavo A. R. Silva wrote:
> Currently, there is an out-of-bounds read on array ctrl->phys,
> once variable i reaches the maximum array size of SERDES_MAX
> in the for loop.
>
> Fix this by changing the condition in the for loop from
> i <= SERDES_MAX to i < SERDES_MAX.
>
Thanks for the heads up. However, as defined today, SERDES_MAX is a
valid value so I need it in the iteration. There are two possible fixes
though:
Either we let all the for loops as `for (i = 0; i <= SERDES_MAX; i++)`
and define ctrl->phys as an array of size SERDES_MAX + 1.
Or we modify the for loops as `for (i = 0; i < SERDES_MAX; i++)` and we
update SERDES_MAX in include/dt-bindings/phy/phy-ocelot-serdes.h to be
SERDES6G_MAX + 1.
As you wish!
Thanks,
Quentin
> Addresses-Coverity-ID: 1473966 ("Out-of-bounds read")
> Addresses-Coverity-ID: 1473959 ("Out-of-bounds read")
> Fixes: 51f6b410fc22 ("phy: add driver for Microsemi Ocelot SerDes muxing")
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
> ---
> drivers/phy/mscc/phy-ocelot-serdes.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/phy/mscc/phy-ocelot-serdes.c b/drivers/phy/mscc/phy-ocelot-serdes.c
> index 8936abd..c4eee3a 100644
> --- a/drivers/phy/mscc/phy-ocelot-serdes.c
> +++ b/drivers/phy/mscc/phy-ocelot-serdes.c
> @@ -206,7 +206,7 @@ static struct phy *serdes_simple_xlate(struct device *dev,
> port = args->args[0];
> idx = args->args[1];
>
> - for (i = 0; i <= SERDES_MAX; i++) {
> + for (i = 0; i < SERDES_MAX; i++) {
> struct serdes_macro *macro = phy_get_drvdata(ctrl->phys[i]);
>
> if (idx != macro->idx)
> @@ -260,7 +260,7 @@ static int serdes_probe(struct platform_device *pdev)
> if (!ctrl->regs)
> return -ENODEV;
>
> - for (i = 0; i <= SERDES_MAX; i++) {
> + for (i = 0; i < SERDES_MAX; i++) {
> ret = serdes_phy_create(ctrl, i, &ctrl->phys[i]);
> if (ret)
> return ret;
> --
> 2.7.4
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] phy: ocelot-serdes: fix out-of-bounds read
2018-10-08 20:55 ` Quentin Schulz
@ 2018-10-08 21:02 ` Gustavo A. R. Silva
0 siblings, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2018-10-08 21:02 UTC (permalink / raw)
To: Quentin Schulz; +Cc: Kishon Vijay Abraham I, David S. Miller, linux-kernel
Hey Quentin,
On 10/8/18 10:55 PM, Quentin Schulz wrote:
> Hi Gustavo,
>
> On Mon, Oct 08, 2018 at 08:06:49PM +0200, Gustavo A. R. Silva wrote:
>> Currently, there is an out-of-bounds read on array ctrl->phys,
>> once variable i reaches the maximum array size of SERDES_MAX
>> in the for loop.
>>
>> Fix this by changing the condition in the for loop from
>> i <= SERDES_MAX to i < SERDES_MAX.
>>
>
> Thanks for the heads up. However, as defined today, SERDES_MAX is a
> valid value so I need it in the iteration. There are two possible fixes
> though:
>
Oh okay. I've got it.
> Either we let all the for loops as `for (i = 0; i <= SERDES_MAX; i++)`
> and define ctrl->phys as an array of size SERDES_MAX + 1.
>
> Or we modify the for loops as `for (i = 0; i < SERDES_MAX; i++)` and we
> update SERDES_MAX in include/dt-bindings/phy/phy-ocelot-serdes.h to be
> SERDES6G_MAX + 1.
>
I think this one is better.
> As you wish!
>
I'll send v2 shortly.
Thanks for the feedback. :)
--
Gustavo
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-10-08 21:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-10-08 18:06 [PATCH] phy: ocelot-serdes: fix out-of-bounds read Gustavo A. R. Silva
2018-10-08 20:55 ` Quentin Schulz
2018-10-08 21:02 ` Gustavo A. R. Silva
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.