* Re: [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver
[not found] <20130903233716.5333B660D6B@gitolite.kernel.org>
@ 2013-09-04 23:27 ` Dave Jones
0 siblings, 0 replies; 5+ messages in thread
From: Dave Jones @ 2013-09-04 23:27 UTC (permalink / raw)
To: Linux Kernel Mailing List; +Cc: linux-scsi, bgrove
> +struct esas2r_adapter {
> + struct esas2r_target targetdb[ESAS2R_MAX_TARGETS];
> + struct esas2r_target *targetdb_end;
...
> + u8 fw_coredump_buff[ESAS2R_FWCOREDUMP_SZ];
> +void esas2r_reset_chip(struct esas2r_adapter *a)
> +{
> + if (!esas2r_is_adapter_present(a))
> + return;
> +
> + /*
> + * Before we reset the chip, save off the VDA core dump. The VDA core
> + * dump is located in the upper 512KB of the onchip SRAM. Make sure
> + * to not overwrite a previous crash that was saved.
> + */
> + if ((a->flags2 & AF2_COREDUMP_AVAIL)
> + && !(a->flags2 & AF2_COREDUMP_SAVED)
> + && a->fw_coredump_buff) {
> + esas2r_read_mem_block(a,
> + a->fw_coredump_buff,
> + MW_DATA_ADDR_SRAM + 0x80000,
> + ESAS2R_FWCOREDUMP_SZ);
Comparing an array (fw_coredump_buff) to null probably isn't what you intended here.
Dave
^ permalink raw reply [flat|nested] 5+ messages in thread
* re: [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver
@ 2020-04-10 14:09 Colin Ian King
0 siblings, 0 replies; 5+ messages in thread
From: Colin Ian King @ 2020-04-10 14:09 UTC (permalink / raw)
To: Bradley Grove, James E.J. Bottomley, Martin K. Petersen,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
Hi,
Static analysis wit Coverity has found an issue in the following commit:
commit 26780d9e12edf45c0b98315de272b1feff5a8e93
Author: Bradley Grove <bgrove@attotech.com>
Date: Fri Aug 23 10:35:45 2013 -0400
[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter
Driver
The issue is in function write_fs in drivers/scsi/esas2r/esas2r_main.c
as follows:
101 int result = 0;
102
103 result = esas2r_write_fs(a, buf, off, count);
104
105 if (result < 0)
Unused value (UNUSED_VALUE) assigned_value: Assigning value 0 to result
here, but that stored value is not used.
106 result = 0;
107
108 return length;
I'm not sure what the intention was for this. Was length meant to be
assigned to 0 rather than result? Or is the result < 0 check just
unnecessary code?
Colin
^ permalink raw reply [flat|nested] 5+ messages in thread* re: [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver
@ 2014-09-18 14:23 Dan Carpenter
0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2014-09-18 14:23 UTC (permalink / raw)
To: bgrove; +Cc: linux-scsi
Hello Bradley Grove,
The patch 26780d9e12ed: "[SCSI] esas2r: ATTO Technology ExpressSAS 6G
SAS/SATA RAID Adapter Driver" from Aug 23, 2013, leads to the
following static checker warning:
drivers/scsi/esas2r/esas2r_ioctl.c:1902 esas2r_read_vda()
error: 'count' from user is not capped properly
drivers/scsi/esas2r/esas2r_ioctl.c
1892
1893 if (off > VDA_MAX_BUFFER_SIZE)
1894 return 0;
1895
1896 if (count + off > VDA_MAX_BUFFER_SIZE)
^^^^^
"count" is a user controlled int. Let's assume we're on a 32 system for
simplicity. If count is a high positive number here, then count + off
is negative and thus less than VDA_MAX_BUFFER_SIZE.
1897 count = VDA_MAX_BUFFER_SIZE - off;
1898
1899 if (count < 0)
1900 return 0;
1901
1902 memcpy(buf, a->vda_buffer + off, count);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Memory corruption.
1903
1904 return count;
1905 }
"count" comes from the ioctl. Let's look at that:
drivers/scsi/esas2r/esas2r_ioctl.c
1476 case EXPRESS_IOCTL_VDA:
1477 err = esas2r_write_vda(a,
1478 (char *)&ioctl->data.ioctl_vda,
1479 0,
1480 sizeof(struct atto_ioctl_vda) +
1481 ioctl->data.ioctl_vda.data_length);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1482
1483 if (err >= 0) {
1484 err = esas2r_read_vda(a,
1485 (char *)&ioctl->data.ioctl_vda,
1486 0,
1487 sizeof(struct atto_ioctl_vda) +
1488 ioctl->data.ioctl_vda.data_length);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These additions have integer overflow bugs. It seems harmless to me,
but hopefully static checkers will eventually start complaining about
them.
1489 }
1490
1491
1492
1493
1494 break;
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread* re: [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver
@ 2013-08-29 8:46 Dan Carpenter
0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2013-08-29 8:46 UTC (permalink / raw)
To: bgrove; +Cc: linux-scsi
Hello Bradley Grove,
The patch 17adeb6dabbe: "[SCSI] esas2r: ATTO Technology ExpressSAS 6G
SAS/SATA RAID Adapter Driver" from Aug 23, 2013, leads to the
following Smatch warning:
"drivers/scsi/esas2r/esas2r_vda.c:312 esas2r_complete_vda_ioctl()
error: format string overflow. buf_size: 4 length: 5"
drivers/scsi/esas2r/esas2r_vda.c
312 sprintf((char *)&cfg->data.init.fw_release,
^^^^^^^^^^^^^^^^^^^^^^^^^
This is a u32 but we are writing 4 characters and a NUL so it ends up
putting the NUL in cfg->data.init.epoch_time.
313 "%1d.%02d",
314 (int)LOBYTE(le16_to_cpu(rsp->fw_release)),
315 (int)HIBYTE(le16_to_cpu(rsp->fw_release)));
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread* re: [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver
@ 2013-08-29 8:45 Dan Carpenter
0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2013-08-29 8:45 UTC (permalink / raw)
To: bgrove; +Cc: linux-scsi
Hello Bradley Grove,
This is a semi-automatic email about new static checker warnings.
The patch 17adeb6dabbe: "[SCSI] esas2r: ATTO Technology ExpressSAS 6G
SAS/SATA RAID Adapter Driver" from Aug 23, 2013, leads to the
following Smatch complaint:
drivers/scsi/esas2r/esas2r_init.c:671 esas2r_cleanup()
warn: variable dereferenced before check 'host' (see line 668)
drivers/scsi/esas2r/esas2r_init.c
667 {
668 struct esas2r_adapter *a = (struct esas2r_adapter *)host->hostdata;
^^^^^^^^^^^^^^
Patch adds dereference.
669 int index;
670
671 if (host == NULL) {
^^^^^^^^^^^^
Patch adds check.
672 int i;
673
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-04-10 14:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20130903233716.5333B660D6B@gitolite.kernel.org>
2013-09-04 23:27 ` [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver Dave Jones
2020-04-10 14:09 Colin Ian King
-- strict thread matches above, loose matches on Subject: below --
2014-09-18 14:23 Dan Carpenter
2013-08-29 8:46 Dan Carpenter
2013-08-29 8:45 Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).