From: Alban Bedel <alban.bedel@lht.dlh.de>
To: Zijun Hu <zijun.hu@oss.qualcomm.com>
Cc: driver-core@lists.linux.dev, devicetree@vger.kernel.org,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Daniel Scally <djrscally@gmail.com>,
Heikki Krogerus <heikki.krogerus@linux.intel.com>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>, Rob Herring <robh@kernel.org>,
Saravana Kannan <saravanak@kernel.org>,
linux-kernel@vger.kernel.org, Sashiko <sashiko-bot@kernel.org>,
Alban Bedel <alban.bedel@lht.dlh.de>
Subject: Re: [PATCH v2 2/2] software node: Fix software_node_get_reference_args() with index -1
Date: Mon, 29 Jun 2026 12:50:43 +0200 [thread overview]
Message-ID: <20260629125043.3721e06a@OMT-CWNXR4TFW5-LHT> (raw)
In-Reply-To: <85b2bac4-9882-4f35-81e4-1718a52aacc9@oss.qualcomm.com>
On Sat, 27 Jun 2026 07:50:12 +0800
Zijun Hu <zijun.hu@oss.qualcomm.com> wrote:
> On 6/18/2026 11:20 PM, Alban Bedel wrote:
> > The bounds check for the index passed to
> > software_node_get_reference_args() was failing when passed UINT_MAX,
> > this in turn would lead to an out of bound access in the property
> > array. Fix the bound check to also cover the UINT_MAX case.
> >
> > Fixes: 31e4e12e0e960 ("software node: Correct a OOB check in software_node_get_reference_args()")
>
> i think the fix tag may not be right.
> for original express before the fix tag: if (index * sizeof(*ref) > prop->length)
> for UINT_MAX, multiplication overflow?
You are right both the orignal code and the version introduced in
31e4e12e0e960 are subject to multiplication overflow issues. I added the
fix tag because 31e4e12e0e960 claim to fix an issue but fall short. If
someone backport this commit it might be good if they can find that
it has an issue.
But if that's not an appropriate use of the fix tag I can remove it.
> > Reported-by: Sashiko <sashiko-bot@kernel.org>
> > Closes: https://lore.kernel.org/linux-devicetree/20260611103904.7CB131F00893@smtp.kernel.org/
> > Signed-off-by: Alban Bedel <alban.bedel@lht.dlh.de>
> > --
> > v2: No changes. Only submit this patch along with the patch that
> > triggered the Sashiko report, to hopefully avoid another useless
> > report.
> > ---
> > drivers/base/swnode.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
> > index 869228a65cb36..2bc76f01eb77d 100644
> > --- a/drivers/base/swnode.c
> > +++ b/drivers/base/swnode.c
> > @@ -537,7 +537,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
> > if (prop->is_inline)
> > return -EINVAL;
> >
> > - if ((index + 1) * sizeof(*ref) > prop->length)
> > + if (index >= prop->length / sizeof(*ref))
> > return -ENOENT;
> >
>
> who will use UINT_MAX ?
A likely scenario is if a caller pass a negative errno, for example the
return value of fwnode_property_match_string(). But as you pointed out
there is also the matter of the multiplication overflow, so various
values smaller than UINT_MAX can also lead to a failure.
> This function is a interface function. the best fix should check
> input parameter @index and return -EINVAL if it is not expected?
The index is unsigned, so there is no invalid values, just out of
bounds. The documentation of fwnode_property_get_reference_args() says:
* Return: %0 on success
* %-ENOENT when the index is out of bounds, the index has an empty
* reference or the property was not found
* %-EINVAL on parse error
* %-ENOTCONN when the remote firmware node exists but has not been
* registered yet
So this should return -ENOENT.
Alban
next prev parent reply other threads:[~2026-06-29 10:51 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 15:20 [PATCH v2 1/2] of: property: Fix of_fwnode_get_reference_args() with negative index Alban Bedel
2026-06-18 15:20 ` [PATCH v2 2/2] software node: Fix software_node_get_reference_args() with index -1 Alban Bedel
2026-06-18 15:31 ` sashiko-bot
2026-06-18 18:35 ` Andy Shevchenko
2026-06-22 8:41 ` Alban Bedel
2026-06-26 23:50 ` Zijun Hu
2026-06-29 7:30 ` Andy Shevchenko
2026-06-29 12:33 ` Zijun Hu
2026-06-29 13:13 ` Andy Shevchenko
2026-06-29 10:50 ` Alban Bedel [this message]
2026-06-18 17:09 ` [PATCH v2 1/2] of: property: Fix of_fwnode_get_reference_args() with negative index Rob Herring (Arm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629125043.3721e06a@OMT-CWNXR4TFW5-LHT \
--to=alban.bedel@lht.dlh.de \
--cc=andriy.shevchenko@linux.intel.com \
--cc=dakr@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=djrscally@gmail.com \
--cc=driver-core@lists.linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=heikki.krogerus@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=robh@kernel.org \
--cc=sakari.ailus@linux.intel.com \
--cc=saravanak@kernel.org \
--cc=sashiko-bot@kernel.org \
--cc=zijun.hu@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox