* re: mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver
@ 2018-06-26 15:18 Colin Ian King
2018-06-27 6:52 ` Miquel Raynal
0 siblings, 1 reply; 2+ messages in thread
From: Colin Ian King @ 2018-06-26 15:18 UTC (permalink / raw)
To: kernel-janitors
Hi there,
Static analysis with CoverityScan reported a potential issue with the
following commit:
commit 0f7b126ca91101d02d525f7cc880e8c71202a2b7
Author: Stefan Agner <stefan@agner.ch>
Date: Sun Jun 24 23:27:25 2018 +0200
mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver
in function tegra_nand_cmd it looks like there maybe potential to pass a
negative value in size into memcpy():
case NAND_OP_DATA_OUT_INSTR:
negative_return_fn: Function nand_subop_get_data_len(subop, op_id)
returns a negative number.
var_assign: Assigning: unsigned variable size = nand_subop_get_data_len.
size = nand_subop_get_data_len(subop, op_id);
offset = nand_subop_get_data_start_off(subop, op_id);
cmd |= COMMAND_TRANS_SIZE(size) | COMMAND_PIO |
COMMAND_TX | COMMAND_A_VALID;
Argument cannot be negative (NEGATIVE_RETURNS)65. negative_returns: size
is passed to a parameter that cannot be negative.
memcpy(®, instr->ctx.data.buf.out + offset, size);
I also think the same issue may be happening with the
NAND_OP_DATA_IN_INSTR case too.
Colin
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver
2018-06-26 15:18 mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver Colin Ian King
@ 2018-06-27 6:52 ` Miquel Raynal
0 siblings, 0 replies; 2+ messages in thread
From: Miquel Raynal @ 2018-06-27 6:52 UTC (permalink / raw)
To: Colin Ian King
Cc: Stefan Agner, Lucas Stach, Dmitry Osipenko, Boris Brezillon,
kernel-janitors@vger.kernel.org, linux-mtd
Hi Colin, Stefan,
+linux-mtd
Thanks Colin for the report.
On Tue, 26 Jun 2018 16:18:29 +0100, Colin Ian King
<colin.king@canonical.com> wrote:
> Hi there,
>
> Static analysis with CoverityScan reported a potential issue with the
> following commit:
>
> commit 0f7b126ca91101d02d525f7cc880e8c71202a2b7
> Author: Stefan Agner <stefan@agner.ch>
> Date: Sun Jun 24 23:27:25 2018 +0200
>
> mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver
>
>
> in function tegra_nand_cmd it looks like there maybe potential to pass a
> negative value in size into memcpy():
>
> case NAND_OP_DATA_OUT_INSTR:
>
> negative_return_fn: Function nand_subop_get_data_len(subop, op_id)
> returns a negative number.
>
> var_assign: Assigning: unsigned variable size = nand_subop_get_data_len.
>
> size = nand_subop_get_data_len(subop, op_id);
> offset = nand_subop_get_data_start_off(subop, op_id);
Stefan,
I thought a bit about this and I don't think the right place for such a
fix are the NAND controller drivers (marvell and vf610 have the same
issue). Both nand_subop_get_data/addr_len/start_off() are core helpers
and their result is predictable in a manner that only a bug in your
parsing function would trigger an error value. I think this is safe for
the four helpers to have WARN_ON() on the error conditions to catch
the developer's attention and just return (unsigned int) 0 in this case.
I will propose something soon.
Thanks,
Miquèl
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-06-27 6:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-26 15:18 mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver Colin Ian King
2018-06-27 6:52 ` Miquel Raynal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox