[PATCH] media: mxl5005s: Bounds check size used for max array index

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] media: mxl5005s: Bounds check size used for max array index
@ 2023-02-04 18:36 Kees Cook
  0 siblings, 0 replies; only message in thread
From: Kees Cook @ 2023-02-04 18:36 UTC (permalink / raw)
  To: Mauro Carvalho Chehab
  Cc: Kees Cook, Colin Ian King, Hans Verkuil, linux-media,
	linux-kernel, linux-hardening

The use of state->CH_Ctrl[i].size in a shift operation implies that its
value can be as much as 32, but the state->CH_Ctrl[i].val array is only
25 in size. Bounds check the size before shifting and looping. Fixes
warnings seen with GCC 13:

../drivers/media/tuners/mxl5005s.c: In function 'MXL_ControlWrite_Group.isra':
../drivers/media/tuners/mxl5005s.c:3450:70: warning: array subscript 32 is above array bounds of 'u16[25]' {aka 'short unsigned int[25]'} [-Warray-bounds=]
 3450 | state->CH_Ctrl[i].val[j] = (u8)((value >> j) & 0x01);
      |  ~~~~~~~~~~~~~~~~~~~~~^~~
../drivers/media/tuners/mxl5005s.c:238:13: note: while referencing 'val'
  238 |         u16 val[25];    /* Binary representation of Value */
      |             ^~~

Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/media/tuners/mxl5005s.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/media/tuners/mxl5005s.c b/drivers/media/tuners/mxl5005s.c
index 3a509038c8df..06dfab9fb8cb 100644
--- a/drivers/media/tuners/mxl5005s.c
+++ b/drivers/media/tuners/mxl5005s.c
@@ -3423,9 +3423,11 @@ static u16 MXL_ControlWrite_Group(struct dvb_frontend *fe, u16 controlNum,
 
 			if (controlNum == state->Init_Ctrl[i].Ctrl_Num) {
 
-				highLimit = 1 << state->Init_Ctrl[i].size;
+				u16 size = min_t(u16, state->Init_Ctrl[i].size,
+					       ARRAY_SIZE(state->Init_Ctrl[i].val));
+				highLimit = 1 << size;
 				if (value < highLimit) {
-					for (j = 0; j < state->Init_Ctrl[i].size; j++) {
+					for (j = 0; j < size; j++) {
 						state->Init_Ctrl[i].val[j] = (u8)((value >> j) & 0x01);
 						MXL_RegWriteBit(fe, (u8)(state->Init_Ctrl[i].addr[j]),
 							(u8)(state->Init_Ctrl[i].bit[j]),
@@ -3442,9 +3444,11 @@ static u16 MXL_ControlWrite_Group(struct dvb_frontend *fe, u16 controlNum,
 
 			if (controlNum == state->CH_Ctrl[i].Ctrl_Num) {
 
-				highLimit = 1 << state->CH_Ctrl[i].size;
+				u16 size = min_t(u16, state->CH_Ctrl[i].size,
+					       ARRAY_SIZE(state->CH_Ctrl[i].val));
+				highLimit = 1 << size;
 				if (value < highLimit) {
-					for (j = 0; j < state->CH_Ctrl[i].size; j++) {
+					for (j = 0; j < size; j++) {
 						state->CH_Ctrl[i].val[j] = (u8)((value >> j) & 0x01);
 						MXL_RegWriteBit(fe, (u8)(state->CH_Ctrl[i].addr[j]),
 							(u8)(state->CH_Ctrl[i].bit[j]),
-- 
2.34.1


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2023-02-04 18:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-04 18:36 [PATCH] media: mxl5005s: Bounds check size used for max array index Kees Cook

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.