[PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array
       [not found] <200708130016.11281.jesper.juhl@gmail.com>
@ 2007-08-12 22:21 ` Jesper Juhl
  2007-08-13 10:56   ` James Smart
  0 siblings, 1 reply; 5+ messages in thread
From: Jesper Juhl @ 2007-08-12 22:21 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Linux Kernel Mailing List, James Smart, linux-scsi,
	James Bottomley, Jesper Juhl

(previously send on 09-Aug-2007 20:47)

Hi,

The Coverity checker noticed that we may overrun a statically allocated 
array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find().

The case is this; In 'struct lpfc_hba' we have 

	#define LPFC_MAX_HBQS  4
	...
	struct lpfc_hba {
		...
		struct hbq_s hbqs[LPFC_MAX_HBQS];
		...
	};

But then in lpfc_sli_hbqbuf_find() we have this code 

	hbqno = tag >> 16;
	if (hbqno > LPFC_MAX_HBQS)
		return NULL;

if 'hbqno' ends up as exactely 4, then we won't return, and then this

	list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {

will cause an overflow of the statically allocated array at index 4, 
since the valid indices are only 0-3. 

I propose this patch, that simply changes the 'hbqno > LPFC_MAX_HBQS' 
into 'hbqno >= LPFC_MAX_HBQS' as a possible fix.


Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Acked-by: James Smart <james.smart@emulex.com>
---

 drivers/scsi/lpfc/lpfc_sli.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index ce5ff2b..e5337ad 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -675,7 +675,7 @@ lpfc_sli_hbqbuf_find(struct lpfc_hba *phba, uint32_t tag)
 	uint32_t hbqno;
 
 	hbqno = tag >> 16;
-	if (hbqno > LPFC_MAX_HBQS)
+	if (hbqno >= LPFC_MAX_HBQS)
 		return NULL;
 
 	list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {




^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array
  2007-08-12 22:21 ` [PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array Jesper Juhl
@ 2007-08-13 10:56   ` James Smart
  2007-08-13 11:15     ` Jesper Juhl
  0 siblings, 1 reply; 5+ messages in thread
From: James Smart @ 2007-08-13 10:56 UTC (permalink / raw)
  To: Jesper Juhl
  Cc: Andrew Morton, Linux Kernel Mailing List, linux-scsi,
	James Bottomley

NACK

The fix is contained in our 8.2.2 sources recently posted and pushed by James
as part of his last scsi fixes.

-- james s

Jesper Juhl wrote:
> (previously send on 09-Aug-2007 20:47)
> 
> Hi,
> 
> The Coverity checker noticed that we may overrun a statically allocated 
> array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find().
> 
> The case is this; In 'struct lpfc_hba' we have 
> 
> 	#define LPFC_MAX_HBQS  4
> 	...
> 	struct lpfc_hba {
> 		...
> 		struct hbq_s hbqs[LPFC_MAX_HBQS];
> 		...
> 	};
> 
> But then in lpfc_sli_hbqbuf_find() we have this code 
> 
> 	hbqno = tag >> 16;
> 	if (hbqno > LPFC_MAX_HBQS)
> 		return NULL;
> 
> if 'hbqno' ends up as exactely 4, then we won't return, and then this
> 
> 	list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {
> 
> will cause an overflow of the statically allocated array at index 4, 
> since the valid indices are only 0-3. 
> 
> I propose this patch, that simply changes the 'hbqno > LPFC_MAX_HBQS' 
> into 'hbqno >= LPFC_MAX_HBQS' as a possible fix.
> 
> 
> Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
> Acked-by: James Smart <james.smart@emulex.com>
> ---
> 
>  drivers/scsi/lpfc/lpfc_sli.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
> index ce5ff2b..e5337ad 100644
> --- a/drivers/scsi/lpfc/lpfc_sli.c
> +++ b/drivers/scsi/lpfc/lpfc_sli.c
> @@ -675,7 +675,7 @@ lpfc_sli_hbqbuf_find(struct lpfc_hba *phba, uint32_t tag)
>  	uint32_t hbqno;
>  
>  	hbqno = tag >> 16;
> -	if (hbqno > LPFC_MAX_HBQS)
> +	if (hbqno >= LPFC_MAX_HBQS)
>  		return NULL;
>  
>  	list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array
  2007-08-13 10:56   ` James Smart
@ 2007-08-13 11:15     ` Jesper Juhl
  2007-08-13 13:10       ` James Smart
  0 siblings, 1 reply; 5+ messages in thread
From: Jesper Juhl @ 2007-08-13 11:15 UTC (permalink / raw)
  To: James.Smart
  Cc: Andrew Morton, Linux Kernel Mailing List, linux-scsi,
	James Bottomley

On 13/08/07, James Smart <James.Smart@emulex.com> wrote:
> NACK
>
> The fix is contained in our 8.2.2 sources recently posted and pushed by James
> as part of his last scsi fixes.
>

I actually did look for it, but couldn't find any lpfc commits with me
listed as author, so I assumed it had not been merged.
I just looked again, at the source this time, up-to-date mainline git
tree, and I still see

        hbqno = tag >> 16;
        if (hbqno > LPFC_MAX_HBQS)
                return NULL;

in drivers/scsi/lpfc/lpfc_sli.c

???


> -- james s
>
> Jesper Juhl wrote:
> > (previously send on 09-Aug-2007 20:47)
> >
> > Hi,
> >
> > The Coverity checker noticed that we may overrun a statically allocated
> > array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find().
...

-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array
  2007-08-13 11:15     ` Jesper Juhl
@ 2007-08-13 13:10       ` James Smart
  2007-08-13 15:01         ` Jesper Juhl
  0 siblings, 1 reply; 5+ messages in thread
From: James Smart @ 2007-08-13 13:10 UTC (permalink / raw)
  To: Jesper Juhl
  Cc: Andrew Morton, Linux Kernel Mailing List, linux-scsi,
	James Bottomley

Ok.... here's what happened,

- We changed the define so that it matched what we are using. We never configure
   more than 4 HBQ, thus the index will never be beyond 0-3. The if-check is actually
   innoculous. Given that the change wasn't your patch, we didn't include you as
   the author.

- Coding-wise, you are right, we still didn't fix the range check.

Since this really is just something to keep the tools happy - I'll recind the NACK.
I'll worry about simply removing this if-check later...

James/Andrew, accept this patch - ACK.

-- james s

Jesper Juhl wrote:
> On 13/08/07, James Smart <James.Smart@emulex.com> wrote:
>> NACK
>>
>> The fix is contained in our 8.2.2 sources recently posted and pushed by James
>> as part of his last scsi fixes.
>>
> 
> I actually did look for it, but couldn't find any lpfc commits with me
> listed as author, so I assumed it had not been merged.
> I just looked again, at the source this time, up-to-date mainline git
> tree, and I still see
> 
>         hbqno = tag >> 16;
>         if (hbqno > LPFC_MAX_HBQS)
>                 return NULL;
> 
> in drivers/scsi/lpfc/lpfc_sli.c
> 
> ???
> 
> 
>> -- james s
>>
>> Jesper Juhl wrote:
>>> (previously send on 09-Aug-2007 20:47)
>>>
>>> Hi,
>>>
>>> The Coverity checker noticed that we may overrun a statically allocated
>>> array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find().
> ...
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array
  2007-08-13 13:10       ` James Smart
@ 2007-08-13 15:01         ` Jesper Juhl
  0 siblings, 0 replies; 5+ messages in thread
From: Jesper Juhl @ 2007-08-13 15:01 UTC (permalink / raw)
  To: James.Smart
  Cc: Andrew Morton, Linux Kernel Mailing List, linux-scsi,
	James Bottomley

On 13/08/07, James Smart <James.Smart@emulex.com> wrote:
> Ok.... here's what happened,
>
> - We changed the define so that it matched what we are using. We never configure
>    more than 4 HBQ, thus the index will never be beyond 0-3. The if-check is actually
>    innoculous. Given that the change wasn't your patch, we didn't include you as
>    the author.
>
And that's not a problem. I only mentioned it to explain how I
searched for the patch before I resend it.

> - Coding-wise, you are right, we still didn't fix the range check.
>
> Since this really is just something to keep the tools happy - I'll recind the NACK.
> I'll worry about simply removing this if-check later...
>
> James/Andrew, accept this patch - ACK.
>


-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2007-08-13 15:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <200708130016.11281.jesper.juhl@gmail.com>
2007-08-12 22:21 ` [PATCH 4/6][RESEND] Emulex FC HBA driver: fix overflow of statically allocated array Jesper Juhl
2007-08-13 10:56   ` James Smart
2007-08-13 11:15     ` Jesper Juhl
2007-08-13 13:10       ` James Smart
2007-08-13 15:01         ` Jesper Juhl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox