From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F862C433E1 for ; Fri, 21 Aug 2020 05:42:03 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DD6382075E for ; Fri, 21 Aug 2020 05:42:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="2fp9hDMt" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DD6382075E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=rC2pvXhvj9qGpIstzO9vVHDXNiPdnoxf2cQaycBsR2M=; b=2fp9hDMtJNvS+N8QAWArfIhdk m/9wF6Gn8OOXBCPxrNrIhZVzk4WdiVXb5AqNKzP7dxS/7Iee5rCXDRZXsayffOQExTidgB5bc4Osx dxhLAmLCwc+uvmhF3iB7ufTtiqV65VyCi2pGLDHlr93dtPDjYSwoL9FPht9div6uQyE5cyLz1SaqK 4w2BFz+uCo5jRKfn3Yc3pDjwWofCwisz5DELeMaworZf49zm0APB+35tnaBWFyzkLFU2vxExDPJsw hE/DFo6l5YiDPSpsibPxvSiQpXOczBMzqnBUt+T/ub/SyMJnw5aXxyo/f9w0RxPcJMDoQsjA5zi40 t+VweyN5w==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1k8zmw-0002Qg-3H; Fri, 21 Aug 2020 05:40:30 +0000 Received: from mail-wm1-f66.google.com ([209.85.128.66]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1k8zmt-0002Q8-NM for linux-arm-kernel@lists.infradead.org; Fri, 21 Aug 2020 05:40:28 +0000 Received: by mail-wm1-f66.google.com with SMTP id 3so642647wmi.1 for ; Thu, 20 Aug 2020 22:40:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=GYy21gsBobrfE+n697gXaTEDTqhXl3ZvlItxvgDKUpg=; b=cfVh+tp/M1+e8JzBMZ+rmSfSoh2Y05HRC/iFJirqEZWO2NuqXyTRvZj4vcyeB+TiyV t1Ag3KXhtbUJQq6mGoZb5IPE8vV/zUFGI3kgMYVzvuAtE+tBplz/dtneEHER0sz+eS5P rppWeUK5b9N5f677TsAEm/1jayEXVCO3ZnWea55GmSYlKm0EmyA5CO+VlyNxYFUwcwsW Enxqr6IXsM6wWgg5yOd93wWeHM+9GIQ6c2A7p86RdgGdEq4IWbKxUfXUG4xfcty97nOW e3cDouA3P9H6xIipJJKvktWL6BAlwCMQLxV92RfeEIs7k6+pseyNC+6/qv57iAv64FMf fRuQ== X-Gm-Message-State: AOAM530A5tCFyZ+gd5CAdEfUtKvv8o5ho4o7zygPGfRFEs2f9SijS7pj l9PEJTeV6LTmbL1SLipXve4= X-Google-Smtp-Source: ABdhPJyKwq7JDwgNVczIaowypJVZ0FDSzLrM9VMY1YsL5y6vs+Zgx/KETjQQwLwGckNGQ1ngq5R/uQ== X-Received: by 2002:a1c:ab06:: with SMTP id u6mr1228329wme.172.1597988426324; Thu, 20 Aug 2020 22:40:26 -0700 (PDT) Received: from kozik-lap ([194.230.155.216]) by smtp.googlemail.com with ESMTPSA id s20sm2220457wmh.21.2020.08.20.22.40.24 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 20 Aug 2020 22:40:25 -0700 (PDT) Date: Fri, 21 Aug 2020 07:40:23 +0200 From: Krzysztof Kozlowski To: Markus Mayer Subject: Re: [PATCH] memory: brcmstb_dpfe: fix array index out of bounds Message-ID: <20200821054023.GA3906@kozik-lap> References: <20200821010333.20436-1-mmayer@broadcom.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200821010333.20436-1-mmayer@broadcom.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200821_014027_791492_1E40568F X-CRM114-Status: GOOD ( 28.91 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Colin Ian King , Florian Fainelli , BCM Kernel Feedback , Linux Kernel , Linux ARM Kernel Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Aug 20, 2020 at 06:03:33PM -0700, Markus Mayer wrote: > We would overrun the error_text array if we hit a TIMEOUT condition, > because we were using the error code "ETIMEDOUT" (which is 110) as an > array index. > > We fix the problem by correcting the array index and by providing a > function to retrieve error messages rather than accessing the array > directly. The function includes a bounds check that prevents the array > from being overrun. > > Signed-off-by: Markus Mayer > --- > > This patch was prepared in response to https://lkml.org/lkml/2020/8/18/505. > > drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++------- > 1 file changed, 16 insertions(+), 7 deletions(-) > > diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c > index 81abc4a98a27..a986a849f58e 100644 > --- a/drivers/memory/brcmstb_dpfe.c > +++ b/drivers/memory/brcmstb_dpfe.c > @@ -190,11 +190,6 @@ struct brcmstb_dpfe_priv { > struct mutex lock; > }; > > -static const char * const error_text[] = { > - "Success", "Header code incorrect", "Unknown command or argument", > - "Incorrect checksum", "Malformed command", "Timed out", > -}; > - > /* > * Forward declaration of our sysfs attribute functions, so we can declare the > * attribute data structures early. > @@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = { > }, > }; > > +static const char * const get_error_text(unsigned int i) The pointer itself is returned by value and you cannot return a const value. I mean, you can but it does not have an effect. Only pointed memory should be const (const const char*). Best regards, Krzysztof > +{ > + static const char * const error_text[] = { > + "Success", "Header code incorrect", > + "Unknown command or argument", "Incorrect checksum", > + "Malformed command", "Timed out", "Unknown error", > + }; > + > + if (unlikely(i >= ARRAY_SIZE(error_text))) > + i = ARRAY_SIZE(error_text) - 1; > + > + return error_text[i]; > +} > + > static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv) > { > u32 val; > @@ -446,7 +455,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd, > } > if (resp != 0) { > mutex_unlock(&priv->lock); > - return -ETIMEDOUT; > + return -ffs(DCPU_RET_ERR_TIMEDOUT); > } > > /* Compute checksum over the message */ > @@ -695,7 +704,7 @@ static ssize_t generic_show(unsigned int command, u32 response[], > > ret = __send_command(priv, command, response); > if (ret < 0) > - return sprintf(buf, "ERROR: %s\n", error_text[-ret]); > + return sprintf(buf, "ERROR: %s\n", get_error_text(-ret)); > > return 0; > } > -- > 2.17.1 > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel