[bug report] Linux-2.6.12-rc2

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [bug report] Linux-2.6.12-rc2
@ 2016-07-14 22:22 Dan Carpenter
  2016-07-15  3:24 ` Michael Ellerman
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2016-07-14 22:22 UTC (permalink / raw)
  To: linuxppc-dev

Hi PPC Devs,

The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005, leads
to the following static checker warning:

	arch/powerpc/sysdev/ipic.c:783 ipic_set_priority()
	error: buffer overflow 'ipic_info' 95 <= 127

arch/powerpc/sysdev/ipic.c
    36  static struct ipic_info ipic_info[] = {
    37          [1] = {
    38                  .mask   = IPIC_SIMSR_H,
    39                  .prio   = IPIC_SIPRR_C,
    40                  .force  = IPIC_SIFCR_H,
    41                  .bit    = 16,
    42                  .prio_mask = 0,
    43          },

 [ huge 95 element array snipped ]

   500          [94] = {
   501                  .mask   = IPIC_SIMSR_L,
   502                  .prio   = 0,
   503                  .force  = IPIC_SIFCR_L,
   504                  .bit    = 30,
   505          },
   506  };

 [ more code snipped ]

   773  int ipic_set_priority(unsigned int virq, unsigned int priority)
   774  {
   775          struct ipic *ipic = ipic_from_irq(virq);
   776          unsigned int src = virq_to_hw(virq);
   777          u32 temp;
   778  
   779          if (priority > 7)
   780                  return -EINVAL;
   781          if (src > 127)
                    ^^^^^^^^^
We cap this at 127

   782                  return -EINVAL;
   783          if (ipic_info[src].prio == 0)
                    ^^^^^^^^^^^^^^
But we only have 95 elements.  Should the array be larger or should
we >= ARRAY_SIZE(ipic_info) is invalid?

   784                  return -EINVAL;
   785  

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [bug report] Linux-2.6.12-rc2
  2016-07-14 22:22 [bug report] Linux-2.6.12-rc2 Dan Carpenter
@ 2016-07-15  3:24 ` Michael Ellerman
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Ellerman @ 2016-07-15  3:24 UTC (permalink / raw)
  To: Dan Carpenter, linuxppc-dev

Dan Carpenter <dan.carpenter@oracle.com> writes:

> Hi PPC Devs,
>
> The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005, leads

Might want to special case that one :)

> to the following static checker warning:
>
> 	arch/powerpc/sysdev/ipic.c:783 ipic_set_priority()
> 	error: buffer overflow 'ipic_info' 95 <= 127
...
>
>    773  int ipic_set_priority(unsigned int virq, unsigned int priority)
>    774  {
>    775          struct ipic *ipic = ipic_from_irq(virq);
>    776          unsigned int src = virq_to_hw(virq);
>    777          u32 temp;
>    778  
>    779          if (priority > 7)
>    780                  return -EINVAL;
>    781          if (src > 127)
>                     ^^^^^^^^^
> We cap this at 127
>
>    782                  return -EINVAL;
>    783          if (ipic_info[src].prio == 0)
>                     ^^^^^^^^^^^^^^
> But we only have 95 elements.  Should the array be larger or should
> we >= ARRAY_SIZE(ipic_info) is invalid?

I don't know the code personally, but looking at the history it seems new
interrupts are added manually with specific flags.

So testing against ARRAY_SIZE would be the best fix AFAICS.

cheers

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-07-15  3:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-14 22:22 [bug report] Linux-2.6.12-rc2 Dan Carpenter
2016-07-15  3:24 ` Michael Ellerman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).