All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: dan.j.williams@intel.com
Cc: linux-nvdimm@lists.01.org
Subject: [bug report] ACPI: NFIT: Define runtime firmware activation commands
Date: Wed, 11 Nov 2020 14:30:00 +0300	[thread overview]
Message-ID: <20201111113000.GA1237157@mwanda> (raw)

Hello Dan Williams,

The patch 6450ddbd5d8e: "ACPI: NFIT: Define runtime firmware
activation commands" from Jul 20, 2020, leads to the following static
checker warning:

    drivers/acpi/nfit/core.c:481 acpi_nfit_ctl()
    error: passing untrusted data 'family' to 'test_bit()'

    drivers/acpi/nfit/core.c:483 acpi_nfit_ctl()
    warn: uncapped user index 'acpi_desc->family_dsm_mask[family]'

drivers/acpi/nfit/core.c
   435  int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
   436                  unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc)
   437  {
   438          struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
   439          struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
   440          union acpi_object in_obj, in_buf, *out_obj;
   441          const struct nd_cmd_desc *desc = NULL;
   442          struct device *dev = acpi_desc->dev;
   443          struct nd_cmd_pkg *call_pkg = NULL;
   444          const char *cmd_name, *dimm_name;
   445          unsigned long cmd_mask, dsm_mask;
   446          u32 offset, fw_status = 0;
   447          acpi_handle handle;
   448          const guid_t *guid;
   449          int func, rc, i;
   450          int family = 0;
   451  
   452          if (cmd_rc)
   453                  *cmd_rc = -EINVAL;
   454  
   455          if (cmd == ND_CMD_CALL)
   456                  call_pkg = buf;
                        ^^^^^^^^^^^^^^^
If cmd == ND_CMD_CALL then call_pkg is controlled by the user.

   457          func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);

cmd_to_func() checks "call_pkg->nd_family" but only if nfit_mem is
non-NULL.

   458          if (func < 0)
   459                  return func;
   460  
   461          if (nvdimm) {
   462                  struct acpi_device *adev = nfit_mem->adev;
   463  
   464                  if (!adev)
   465                          return -ENOTTY;
   466  
   467                  dimm_name = nvdimm_name(nvdimm);
   468                  cmd_name = nvdimm_cmd_name(cmd);
   469                  cmd_mask = nvdimm_cmd_mask(nvdimm);
   470                  dsm_mask = nfit_mem->dsm_mask;
   471                  desc = nd_cmd_dimm_desc(cmd);
   472                  guid = to_nfit_uuid(nfit_mem->family);
   473                  handle = adev->handle;
   474          } else {
   475                  struct acpi_device *adev = to_acpi_dev(acpi_desc);
   476  
   477                  cmd_name = nvdimm_bus_cmd_name(cmd);
   478                  cmd_mask = nd_desc->cmd_mask;
   479                  if (cmd == ND_CMD_CALL && call_pkg->nd_family) {
   480                          family = call_pkg->nd_family;
   481                          if (!test_bit(family, &nd_desc->bus_family_mask))
                                              ^^^^^^
if "family" is more BITS_PER_LONG then this will overflow.

   482                                  return -EINVAL;
   483                          dsm_mask = acpi_desc->family_dsm_mask[family];
                                                      ^^^^^^^^^^^^^^^^^^^^^^^

   484                          guid = to_nfit_bus_uuid(family);
   485                  } else {
   486                          dsm_mask = acpi_desc->bus_dsm_mask;
   487                          guid = to_nfit_uuid(NFIT_DEV_BUS);
   488                  }
   489                  desc = nd_cmd_bus_desc(cmd);
   490                  handle = adev->handle;
   491                  dimm_name = "bus";
   492          }
   493  
   494          if (!desc || (cmd && (desc->out_num + desc->in_num == 0)))
   495                  return -ENOTTY;
   496  
   497          /*
   498           * Check for a valid command.  For ND_CMD_CALL, we also have to
   499           * make sure that the DSM function is supported.
   500           */
   501          if (cmd == ND_CMD_CALL &&

regards,
dan carpenter
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

                 reply	other threads:[~2020-11-11 11:30 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201111113000.GA1237157@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=dan.j.williams@intel.com \
    --cc=linux-nvdimm@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.