From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 754F2320E for ; Mon, 2 Jan 2023 13:41:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1672666886; x=1704202886; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=CX0zuNRoqPw8io4WYHuKdvqgSF3WPmb0FFc7W4rrRCY=; b=JxbyP2YCRaNjv0lTwuH/Vzmel6591v3Jjf+OpBX0WNrKTbKZUvDC0+ZP GSOzDDhJKgWf9Yj3XpHjiLFSjNzLqqSBO7G8Q/ZHPpyH9sFaoBUfEt4Su p+NKXYpd17rrr5YH+Ff/WON3cpTqKnYPVpgm7VlPyn1B+nvMRdVFppxeP ghB4CpoPjpUpxar/WjpPnzRgE7cp0B2so8jnwDWNgMSJFVih2fBv08C9K 7SBSKQd4tftv3H5f4lDm9ZvBylpvAAz857vGJOQ38BdKUHCKRrAKtkJjB Gq3B3DQaOnZTQ4z2tutMr0FL2aQoUfvwzsT9+noMWk58KrqBSoneelmzx g==; X-IronPort-AV: E=McAfee;i="6500,9779,10578"; a="304993112" X-IronPort-AV: E=Sophos;i="5.96,294,1665471600"; d="scan'208";a="304993112" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jan 2023 05:41:25 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10578"; a="722976220" X-IronPort-AV: E=Sophos;i="5.96,294,1665471600"; d="scan'208";a="722976220" Received: from punajuuri.fi.intel.com (HELO paasikivi.fi.intel.com) ([10.237.72.43]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jan 2023 05:41:23 -0800 Received: from paasikivi.fi.intel.com (localhost [127.0.0.1]) by paasikivi.fi.intel.com (Postfix) with SMTP id 3A3F82017A; Mon, 2 Jan 2023 15:41:21 +0200 (EET) Date: Mon, 2 Jan 2023 13:41:21 +0000 From: Sakari Ailus To: Aleksandr Burakov Cc: Bingbu Cao , Tianshu Qiu , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: Re: [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node Message-ID: References: <20221223123025.5948-1-a.burakov@rosalinux.ru> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221223123025.5948-1-a.burakov@rosalinux.ru> Hi Aleksandr, On Fri, Dec 23, 2022 at 03:30:25PM +0300, Aleksandr Burakov wrote: > If imgu_node_map[i].css_queue is not equal to css_queue > then "i" after the loop could be equal to IMGU_NODE_NUM > that is more than the border value (IMGU_NODE_NUM - 1). > So imgu_map_node() call may return IMGU_NODE_NUM that is more > than expected value. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver") > Signed-off-by: Aleksandr Burakov > --- > drivers/staging/media/ipu3/ipu3.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c > index 0c453b37f8c4..cb09eb3cc227 100644 > --- a/drivers/staging/media/ipu3/ipu3.c > +++ b/drivers/staging/media/ipu3/ipu3.c > @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue) > for (i = 0; i < IMGU_NODE_NUM; i++) > if (imgu_node_map[i].css_queue == css_queue) > break; > - > - return i; > + if (i < IMGU_NODE_NUM) > + return i; > + else > + return (IMGU_NODE_NUM - 1); > } > > /**************** Dummy buffers ****************/ Thanks for the patch. It would require a bug elsewhere in the driver for this to happen. If some handling for this case is added, it shouldn't be hiding the issue. One easy way could be to add WARN_ON() for this, and return some value (as you do). Zero would do equally well. I.e. return WARN_ON(i >= IMGU_NODE_NUM) ? 0 : i; -- Sakari Ailus