[PATCH v2 7/9] qla2xxx: Fix a Coverity complaint in qla2100_fw_dump()

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

From: Bart Van Assche <bvanassche@acm.org>
To: "Martin K . Petersen" <martin.petersen@oracle.com>,
	"James E . J . Bottomley" <jejb@linux.vnet.ibm.com>
Cc: linux-scsi@vger.kernel.org, Bart Van Assche <bvanassche@acm.org>,
	Daniel Wagner <dwagner@suse.de>,
	Nilesh Javali <njavali@marvell.com>,
	Quinn Tran <qutran@marvell.com>,
	Himanshu Madhani <himanshu.madhani@oracle.com>,
	Martin Wilck <mwilck@suse.com>,
	Roman Bolshakov <r.bolshakov@yadro.com>
Subject: [PATCH v2 7/9] qla2xxx: Fix a Coverity complaint in qla2100_fw_dump()
Date: Mon, 29 Jun 2020 15:54:52 -0700	[thread overview]
Message-ID: <20200629225454.22863-8-bvanassche@acm.org> (raw)
In-Reply-To: <20200629225454.22863-1-bvanassche@acm.org>

'cnt' can exceed the size of the risc_ram[] array. Prevent that Coverity
complains by rewriting an address calculation expression. This patch fixes
the following Coverity complaint:

CID 337803 (#1 of 1): Out-of-bounds read (OVERRUN)
109. overrun-local: Overrunning array of 122880 bytes at byte offset 122880
by dereferencing pointer &fw->risc_ram[cnt].

Reviewed-by: Daniel Wagner <dwagner@suse.de>
Cc: Nilesh Javali <njavali@marvell.com>
Cc: Quinn Tran <qutran@marvell.com>
Cc: Himanshu Madhani <himanshu.madhani@oracle.com>
Cc: Martin Wilck <mwilck@suse.com>
Cc: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
 drivers/scsi/qla2xxx/qla_dbg.c | 2 +-
 drivers/scsi/qla2xxx/qla_dbg.h | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c
index 19005710f7f6..41493bd53fc0 100644
--- a/drivers/scsi/qla2xxx/qla_dbg.c
+++ b/drivers/scsi/qla2xxx/qla_dbg.c
@@ -1063,7 +1063,7 @@ qla2100_fw_dump(scsi_qla_host_t *vha)
 	}
 
 	if (rval == QLA_SUCCESS)
-		qla2xxx_copy_queues(ha, &fw->risc_ram[cnt]);
+		qla2xxx_copy_queues(ha, &fw->queue_dump[0]);
 
 	qla2xxx_dump_post_process(base_vha, rval);
 }
diff --git a/drivers/scsi/qla2xxx/qla_dbg.h b/drivers/scsi/qla2xxx/qla_dbg.h
index 54ed020e6f75..91eb6901815c 100644
--- a/drivers/scsi/qla2xxx/qla_dbg.h
+++ b/drivers/scsi/qla2xxx/qla_dbg.h
@@ -53,6 +53,7 @@ struct qla2100_fw_dump {
 	__be16 fpm_b0_reg[64];
 	__be16 fpm_b1_reg[64];
 	__be16 risc_ram[0xf000];
+	u8	queue_dump[];
 };
 
 struct qla24xx_fw_dump {

next prev parent reply	other threads:[~2020-06-29 22:55 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-29 22:54 [PATCH v2 0/9] qla2xxx patches for kernel v5.9 Bart Van Assche
2020-06-29 22:54 ` [PATCH v2 1/9] qla2xxx: Check the size of struct fcp_hdr at compile time Bart Van Assche
2020-06-29 22:54 ` [PATCH v2 2/9] qla2xxx: Remove the __packed annotation from struct fcp_hdr and fcp_hdr_le Bart Van Assche
2020-06-29 22:54 ` [PATCH v2 3/9] qla2xxx: Make qla82xx_flash_wait_write_finish() easier to read Bart Van Assche
2020-06-29 22:54 ` [PATCH v2 4/9] qla2xxx: Initialize 'n' before using it Bart Van Assche
2020-06-29 22:54 ` [PATCH v2 5/9] qla2xxx: Remove a superfluous cast Bart Van Assche
2020-06-30 17:13   ` Shyam Sundar
2020-06-29 22:54 ` [PATCH v2 6/9] qla2xxx: Make __qla2x00_alloc_iocbs() initialize 32 bits of request_t.handle Bart Van Assche
2020-06-29 22:54 ` Bart Van Assche [this message]
2020-06-29 22:54 ` [PATCH v2 8/9] qla2xxx: Make qla2x00_restart_isp() easier to read Bart Van Assche
2020-06-29 22:54 ` [PATCH v2 9/9] qla2xxx: Introduce a function for computing the debug message prefix Bart Van Assche
2020-06-29 23:26 ` [PATCH v2 0/9] qla2xxx patches for kernel v5.9 Himanshu Madhani
2020-07-01  4:28   ` Bart Van Assche
2020-07-01  3:23 ` Martin K. Petersen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:19005710f7f dfblob:41493bd53fc dfblob:54ed020e6f7
dfblob:91eb6901815 )
 OR (
bs:"[PATCH v2 7/9] qla2xxx: Fix a Coverity complaint in qla2100_fw_dump()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200629225454.22863-8-bvanassche@acm.org \
    --to=bvanassche@acm.org \
    --cc=dwagner@suse.de \
    --cc=himanshu.madhani@oracle.com \
    --cc=jejb@linux.vnet.ibm.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=mwilck@suse.com \
    --cc=njavali@marvell.com \
    --cc=qutran@marvell.com \
    --cc=r.bolshakov@yadro.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox