From: Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Geert Uytterhoeven <geert-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org>
Cc: Pantelis Antoniou
<pantelis.antoniou-OWPKS81ov/FWk0Htik3J/w@public.gmane.org>,
Rob Herring <robh+dt-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Grant Likely
<grant.likely-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
Arnd Bergmann <arnd-r2nGTMty4D4@public.gmane.org>,
"devicetree-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<devicetree-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] of: overlay: Fix uninitialized vars in dup_and_fixup_symbol_prop()
Date: Tue, 19 Sep 2017 17:20:53 -0700 [thread overview]
Message-ID: <59C1B465.1010209@gmail.com> (raw)
In-Reply-To: <CAMuHMdUo=O6J4Qs8J+Jrx6LFeLRmE77hzpfaAUFYtdfYN1-hpw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On 09/19/17 13:16, Geert Uytterhoeven wrote:
> Hi Frank,
>
> On Tue, Sep 19, 2017 at 8:27 PM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> On 09/10/17 03:26, Geert Uytterhoeven wrote:
>>> With gcc 4.1.2:
>>>
>>> drivers/of/overlay.c: In function ‘dup_and_fixup_symbol_prop’:
>>> drivers/of/overlay.c:108: warning: ‘overlay_name_len’ may be used uninitialized in this function
>>> drivers/of/overlay.c:100: warning: ‘ovinfo’ may be used uninitialized in this function
>>>
>>> Indeed, if ov->count == 0, both variables are uninitialized, which may
>>> lead to a crash when dereferencing ovinfo later.
>>>
>>> Currently this is a false positive, as the sole creator of of_overlay
>>> structures (of_build_overlay_info(), introduced in commit
>>> 7518b5890d8ac366 ("of/overlay: Introduce DT overlay support") checks for
>>> this.
>>>
>>> To prevent future issues, add a check for a zero ov->count to
>>> dup_and_fixup_symbol_prop(). Note that this does not get rid of the
>>> actual compiler warning.
>>>
>>> Fixes: d1651b03c2df75db ("of: overlay: add overlay symbols to live device tree")
>>> Signed-off-by: Geert Uytterhoeven <geert-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org>
>>> ---
>>> drivers/of/overlay.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
>>> index 8ecfee31ab6d3874..ebe19e0f8e4d1f4b 100644
>>> --- a/drivers/of/overlay.c
>>> +++ b/drivers/of/overlay.c
>>> @@ -108,7 +108,7 @@ static struct property *dup_and_fixup_symbol_prop(struct of_overlay *ov,
>>> int overlay_name_len;
>>> int target_path_len;
>>>
>>> - if (!prop->value)
>>> + if (!ov->count || !prop->value)
>>> return NULL;
>>> symbol_path = prop->value;
>>>
>>
>> I did not see this patch due to an overzealous spam filter. I noticed it
>> when Rob replied with his applied email.
>>
>> This check is not needed to prevent accessing overlay_name_len and ovinfo
>> when ov->count == 0. That is already prevented by:
>>
>> if (k >= ov->count)
>> goto err_free;
>>
>> because k will be zero and ov->count will be zero.
>
> Thank you, I stand corrected.
No problem. It's not real obvious, you really need to stop and
ponder.
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Frank Rowand <frowand.list@gmail.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>,
Rob Herring <robh+dt@kernel.org>,
Grant Likely <grant.likely@linaro.org>,
Arnd Bergmann <arnd@arndb.de>,
"devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] of: overlay: Fix uninitialized vars in dup_and_fixup_symbol_prop()
Date: Tue, 19 Sep 2017 17:20:53 -0700 [thread overview]
Message-ID: <59C1B465.1010209@gmail.com> (raw)
In-Reply-To: <CAMuHMdUo=O6J4Qs8J+Jrx6LFeLRmE77hzpfaAUFYtdfYN1-hpw@mail.gmail.com>
On 09/19/17 13:16, Geert Uytterhoeven wrote:
> Hi Frank,
>
> On Tue, Sep 19, 2017 at 8:27 PM, Frank Rowand <frowand.list@gmail.com> wrote:
>> On 09/10/17 03:26, Geert Uytterhoeven wrote:
>>> With gcc 4.1.2:
>>>
>>> drivers/of/overlay.c: In function ‘dup_and_fixup_symbol_prop’:
>>> drivers/of/overlay.c:108: warning: ‘overlay_name_len’ may be used uninitialized in this function
>>> drivers/of/overlay.c:100: warning: ‘ovinfo’ may be used uninitialized in this function
>>>
>>> Indeed, if ov->count == 0, both variables are uninitialized, which may
>>> lead to a crash when dereferencing ovinfo later.
>>>
>>> Currently this is a false positive, as the sole creator of of_overlay
>>> structures (of_build_overlay_info(), introduced in commit
>>> 7518b5890d8ac366 ("of/overlay: Introduce DT overlay support") checks for
>>> this.
>>>
>>> To prevent future issues, add a check for a zero ov->count to
>>> dup_and_fixup_symbol_prop(). Note that this does not get rid of the
>>> actual compiler warning.
>>>
>>> Fixes: d1651b03c2df75db ("of: overlay: add overlay symbols to live device tree")
>>> Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
>>> ---
>>> drivers/of/overlay.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
>>> index 8ecfee31ab6d3874..ebe19e0f8e4d1f4b 100644
>>> --- a/drivers/of/overlay.c
>>> +++ b/drivers/of/overlay.c
>>> @@ -108,7 +108,7 @@ static struct property *dup_and_fixup_symbol_prop(struct of_overlay *ov,
>>> int overlay_name_len;
>>> int target_path_len;
>>>
>>> - if (!prop->value)
>>> + if (!ov->count || !prop->value)
>>> return NULL;
>>> symbol_path = prop->value;
>>>
>>
>> I did not see this patch due to an overzealous spam filter. I noticed it
>> when Rob replied with his applied email.
>>
>> This check is not needed to prevent accessing overlay_name_len and ovinfo
>> when ov->count == 0. That is already prevented by:
>>
>> if (k >= ov->count)
>> goto err_free;
>>
>> because k will be zero and ov->count will be zero.
>
> Thank you, I stand corrected.
No problem. It's not real obvious, you really need to stop and
ponder.
next prev parent reply other threads:[~2017-09-20 0:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-10 10:26 [PATCH] of: overlay: Fix uninitialized vars in dup_and_fixup_symbol_prop() Geert Uytterhoeven
[not found] ` <1505039164-25468-1-git-send-email-geert-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org>
2017-09-19 17:27 ` Rob Herring
2017-09-19 17:27 ` Rob Herring
2017-09-19 18:27 ` Frank Rowand
2017-09-19 18:27 ` Frank Rowand
[not found] ` <59C16197.4040403-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-09-19 19:15 ` Rob Herring
2017-09-19 19:15 ` Rob Herring
2017-09-19 20:16 ` Geert Uytterhoeven
[not found] ` <CAMuHMdUo=O6J4Qs8J+Jrx6LFeLRmE77hzpfaAUFYtdfYN1-hpw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-09-20 0:20 ` Frank Rowand [this message]
2017-09-20 0:20 ` Frank Rowand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59C1B465.1010209@gmail.com \
--to=frowand.list-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=arnd-r2nGTMty4D4@public.gmane.org \
--cc=devicetree-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=geert-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org \
--cc=grant.likely-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=pantelis.antoniou-OWPKS81ov/FWk0Htik3J/w@public.gmane.org \
--cc=robh+dt-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.