[bug report] [PATCH] powerpc: Thermal control for dual core G5s

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [bug report] [PATCH] powerpc: Thermal control for dual core G5s
@ 2016-07-13 10:15 Dan Carpenter
  2016-07-13 22:44 ` Benjamin Herrenschmidt
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2016-07-13 10:15 UTC (permalink / raw)
  To: benh; +Cc: linuxppc-dev

Hello Benjamin Herrenschmidt,

The patch ac171c46667c: "[PATCH] powerpc: Thermal control for dual
core G5s" from Feb 8, 2006, leads to the following static checker
warning:

	drivers/macintosh/windfarm_smu_controls.c:83 smu_set_fan()
	warn: buffer overflow 'buffer' 16 <= 16

drivers/macintosh/windfarm_smu_controls.c
    54  static int smu_set_fan(int pwm, u8 id, u16 value)
    55  {
    56          struct smu_cmd cmd;
    57          u8 buffer[16];
                   ^^^^^^^^^^
16 bytes.

    58          DECLARE_COMPLETION_ONSTACK(comp);
    59          int rc;
    60  
    61          /* Fill SMU command structure */
    62          cmd.cmd = SMU_CMD_FAN_COMMAND;
    63  
    64          /* The SMU has an "old" and a "new" way of setting the fan speed
    65           * Unfortunately, I found no reliable way to know which one works
    66           * on a given machine model. After some investigations it appears
    67           * that MacOS X just tries the new one, and if it fails fallbacks
    68           * to the old ones ... Ugh.
    69           */
    70   retry:
    71          if (smu_supports_new_fans_ops) {
    72                  buffer[0] = 0x30;
    73                  buffer[1] = id;
    74                  *((u16 *)(&buffer[2])) = value;
    75                  cmd.data_len = 4;
    76          } else {
    77                  if (id > 7)
                            ^^^^^^
Assume id is 7.

    78                          return -EINVAL;
    79                  /* Fill argument buffer */
    80                  memset(buffer, 0, 16);
    81                  buffer[0] = pwm ? 0x10 : 0x00;
    82                  buffer[1] = 0x01 << id;
    83                  *((u16 *)&buffer[2 + id * 2]) = value;
                                  ^^^^^^^^^^^^^^^^^^
2 + 7 * 2 = 16.  We're write two bytes beyond the end of the array.

    84                  cmd.data_len = 14;
    85          }
    86  


regards,
dan carpenter

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [bug report] [PATCH] powerpc: Thermal control for dual core G5s
  2016-07-13 10:15 [bug report] [PATCH] powerpc: Thermal control for dual core G5s Dan Carpenter
@ 2016-07-13 22:44 ` Benjamin Herrenschmidt
  0 siblings, 0 replies; 2+ messages in thread
From: Benjamin Herrenschmidt @ 2016-07-13 22:44 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: linuxppc-dev

On Wed, 2016-07-13 at 13:15 +0300, Dan Carpenter wrote:
> Hello Benjamin Herrenschmidt,
> 
> The patch ac171c46667c: "[PATCH] powerpc: Thermal control for dual
> core G5s" from Feb 8, 2006, leads to the following static checker
> warning:
> 
> 	drivers/macintosh/windfarm_smu_controls.c:83 smu_set_fan()
> 	warn: buffer overflow 'buffer' 16 <= 16

Thanks. I had a look at it seems like id is actually always
smaller than 6. So it's just the check id > 7 that needs
to be id > 5 I think and unless some of these machines have a bad
device-tree I think we don't actually corrupt memory.

> drivers/macintosh/windfarm_smu_controls.c
>     54  static int smu_set_fan(int pwm, u8 id, u16 value)
>     55  {
>     56          struct smu_cmd cmd;
>     57          u8 buffer[16];
>                    ^^^^^^^^^^
> 16 bytes.
> 
>     58          DECLARE_COMPLETION_ONSTACK(comp);
>     59          int rc;
>     60  
>     61          /* Fill SMU command structure */
>     62          cmd.cmd = SMU_CMD_FAN_COMMAND;
>     63  
>     64          /* The SMU has an "old" and a "new" way of setting
> the fan speed
>     65           * Unfortunately, I found no reliable way to know
> which one works
>     66           * on a given machine model. After some
> investigations it appears
>     67           * that MacOS X just tries the new one, and if it
> fails fallbacks
>     68           * to the old ones ... Ugh.
>     69           */
>     70   retry:
>     71          if (smu_supports_new_fans_ops) {
>     72                  buffer[0] = 0x30;
>     73                  buffer[1] = id;
>     74                  *((u16 *)(&buffer[2])) = value;
>     75                  cmd.data_len = 4;
>     76          } else {
>     77                  if (id > 7)
>                             ^^^^^^
> Assume id is 7.
> 
>     78                          return -EINVAL;
>     79                  /* Fill argument buffer */
>     80                  memset(buffer, 0, 16);
>     81                  buffer[0] = pwm ? 0x10 : 0x00;
>     82                  buffer[1] = 0x01 << id;
>     83                  *((u16 *)&buffer[2 + id * 2]) = value;
>                                   ^^^^^^^^^^^^^^^^^^
> 2 + 7 * 2 = 16.  We're write two bytes beyond the end of the array.
> 
>     84                  cmd.data_len = 14;
>     85          }
>     86  
> 
> 
> regards,
> dan carpenter

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-07-13 22:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-13 10:15 [bug report] [PATCH] powerpc: Thermal control for dual core G5s Dan Carpenter
2016-07-13 22:44 ` Benjamin Herrenschmidt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).