[PATCH] PCI: kirin: Fix buffer overflow

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] PCI: kirin: Fix buffer overflow
@ 2024-07-12  8:43 Alexandra Diupina
  2024-07-12  9:07 ` Mauro Carvalho Chehab
  0 siblings, 1 reply; 8+ messages in thread
From: Alexandra Diupina @ 2024-07-12  8:43 UTC (permalink / raw)
  To: Xiaowei Song
  Cc: Alexandra Diupina, Binghui Wang, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Mauro Carvalho Chehab, linux-pci, linux-kernel, lvc-project

In kirin_pcie_parse_port() pcie->num_slots is compared to
pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
condition to pcie->num_slots >= MAX_PCI_SLOTS to
avoid out of bounds array access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
 drivers/pci/controller/dwc/pcie-kirin.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
index d5523f302102..5ef3384c137d 100644
--- a/drivers/pci/controller/dwc/pcie-kirin.c
+++ b/drivers/pci/controller/dwc/pcie-kirin.c
@@ -413,7 +413,7 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
 				continue;
 
 			pcie->num_slots++;
-			if (pcie->num_slots > MAX_PCI_SLOTS) {
+			if (pcie->num_slots >= MAX_PCI_SLOTS) {
 				dev_err(dev, "Too many PCI slots!\n");
 				ret = -EINVAL;
 				goto put_node;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH] PCI: kirin: Fix buffer overflow
  2024-07-12  8:43 [PATCH] PCI: kirin: Fix buffer overflow Alexandra Diupina
@ 2024-07-12  9:07 ` Mauro Carvalho Chehab
  2024-07-19 12:21   ` [PATCH v2] " Alexandra Diupina
  0 siblings, 1 reply; 8+ messages in thread
From: Mauro Carvalho Chehab @ 2024-07-12  9:07 UTC (permalink / raw)
  To: Alexandra Diupina
  Cc: Xiaowei Song, Binghui Wang, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas, linux-pci,
	linux-kernel, lvc-project

Em Fri, 12 Jul 2024 11:43:09 +0300
Alexandra Diupina <adiupina@astralinux.ru> escreveu:

> In kirin_pcie_parse_port() pcie->num_slots is compared to
> pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
> condition to pcie->num_slots >= MAX_PCI_SLOTS to
> avoid out of bounds array access.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
> ---
>  drivers/pci/controller/dwc/pcie-kirin.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
> index d5523f302102..5ef3384c137d 100644
> --- a/drivers/pci/controller/dwc/pcie-kirin.c
> +++ b/drivers/pci/controller/dwc/pcie-kirin.c
> @@ -413,7 +413,7 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
>  				continue;
>  
>  			pcie->num_slots++;
> -			if (pcie->num_slots > MAX_PCI_SLOTS) {
> +			if (pcie->num_slots >= MAX_PCI_SLOTS) {
>  				dev_err(dev, "Too many PCI slots!\n");
>  				ret = -EINVAL;
>  				goto put_node;

Hmm... the logic will keep num_slots incremented when the error condition
is trigged. IMO, the code should be, instead:

                        if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
                                dev_err(dev, "Too many PCI slots!\n");
                                ret = -EINVAL;
                                goto put_node;
                        }
                        pcie->num_slots++;

Thanks,
Mauro

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2] PCI: kirin: Fix buffer overflow
  2024-07-12  9:07 ` Mauro Carvalho Chehab
@ 2024-07-19 12:21   ` Alexandra Diupina
  2024-09-02 14:14     ` Alexandra Diupina
  2024-09-02 18:29     ` Mauro Carvalho Chehab
  0 siblings, 2 replies; 8+ messages in thread
From: Alexandra Diupina @ 2024-07-19 12:21 UTC (permalink / raw)
  To: Xiaowei Song
  Cc: Alexandra Diupina, Binghui Wang, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Mauro Carvalho Chehab, linux-pci, linux-kernel, lvc-project

In kirin_pcie_parse_port() pcie->num_slots is compared to
pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
pcie->num_slots increment lower to avoid out-of-bounds
array access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v2: some changes
 drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
index d5523f302102..deab1e653b9a 100644
--- a/drivers/pci/controller/dwc/pcie-kirin.c
+++ b/drivers/pci/controller/dwc/pcie-kirin.c
@@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
 			if (pcie->gpio_id_reset[i] < 0)
 				continue;
 
-			pcie->num_slots++;
-			if (pcie->num_slots > MAX_PCI_SLOTS) {
+			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
 				dev_err(dev, "Too many PCI slots!\n");
 				ret = -EINVAL;
 				goto put_node;
 			}
+			pcie->num_slots++;
 
 			ret = of_pci_get_devfn(child);
 			if (ret < 0) {
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] PCI: kirin: Fix buffer overflow
  2024-07-19 12:21   ` [PATCH v2] " Alexandra Diupina
@ 2024-09-02 14:14     ` Alexandra Diupina
  2024-09-02 17:17       ` Krzysztof Wilczyński
  2024-09-02 18:29     ` Mauro Carvalho Chehab
  1 sibling, 1 reply; 8+ messages in thread
From: Alexandra Diupina @ 2024-09-02 14:14 UTC (permalink / raw)
  To: Xiaowei Song
  Cc: Binghui Wang, Lorenzo Pieralisi, Krzysztof Wilczyński,
	Rob Herring, Bjorn Helgaas, Mauro Carvalho Chehab, linux-pci,
	linux-kernel, lvc-project

just a friendly reminder


19/07/24 15:21, Alexandra Diupina пишет:
> In kirin_pcie_parse_port() pcie->num_slots is compared to
> pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
> condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
> pcie->num_slots increment lower to avoid out-of-bounds
> array access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
> ---
> v2: some changes
>   drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
> index d5523f302102..deab1e653b9a 100644
> --- a/drivers/pci/controller/dwc/pcie-kirin.c
> +++ b/drivers/pci/controller/dwc/pcie-kirin.c
> @@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
>   			if (pcie->gpio_id_reset[i] < 0)
>   				continue;
>   
> -			pcie->num_slots++;
> -			if (pcie->num_slots > MAX_PCI_SLOTS) {
> +			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
>   				dev_err(dev, "Too many PCI slots!\n");
>   				ret = -EINVAL;
>   				goto put_node;
>   			}
> +			pcie->num_slots++;
>   
>   			ret = of_pci_get_devfn(child);
>   			if (ret < 0) {


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] PCI: kirin: Fix buffer overflow
  2024-09-02 14:14     ` Alexandra Diupina
@ 2024-09-02 17:17       ` Krzysztof Wilczyński
  0 siblings, 0 replies; 8+ messages in thread
From: Krzysztof Wilczyński @ 2024-09-02 17:17 UTC (permalink / raw)
  To: Alexandra Diupina
  Cc: Xiaowei Song, Binghui Wang, Lorenzo Pieralisi, Rob Herring,
	Bjorn Helgaas, Mauro Carvalho Chehab, linux-pci, linux-kernel,
	lvc-project

Hello,

> just a friendly reminder

Would you mind sending a v2 as a standalone patch?  So that I can pick it
up via Patchwork and such.  I would be much obliged.

I wonder if Mauro would be willing to have another review of the new
iteration of the fix.  Just something that would be nice to have his
tag added.

	Krzysztof

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] PCI: kirin: Fix buffer overflow
  2024-07-19 12:21   ` [PATCH v2] " Alexandra Diupina
  2024-09-02 14:14     ` Alexandra Diupina
@ 2024-09-02 18:29     ` Mauro Carvalho Chehab
  1 sibling, 0 replies; 8+ messages in thread
From: Mauro Carvalho Chehab @ 2024-09-02 18:29 UTC (permalink / raw)
  To: Alexandra Diupina
  Cc: Xiaowei Song, Binghui Wang, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas, linux-pci,
	linux-kernel, lvc-project

Em Fri, 19 Jul 2024 15:21:53 +0300
Alexandra Diupina <adiupina@astralinux.ru> escreveu:

> In kirin_pcie_parse_port() pcie->num_slots is compared to
> pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
> condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
> pcie->num_slots increment lower to avoid out-of-bounds
> array access.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>

LGTM.

Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

> ---
> v2: some changes
>  drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
> index d5523f302102..deab1e653b9a 100644
> --- a/drivers/pci/controller/dwc/pcie-kirin.c
> +++ b/drivers/pci/controller/dwc/pcie-kirin.c
> @@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
>  			if (pcie->gpio_id_reset[i] < 0)
>  				continue;
>  
> -			pcie->num_slots++;
> -			if (pcie->num_slots > MAX_PCI_SLOTS) {
> +			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
>  				dev_err(dev, "Too many PCI slots!\n");
>  				ret = -EINVAL;
>  				goto put_node;
>  			}
> +			pcie->num_slots++;
>  
>  			ret = of_pci_get_devfn(child);
>  			if (ret < 0) {



Thanks,
Mauro

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH] PCI: kirin: Fix buffer overflow
@ 2024-09-03 11:58 Alexandra Diupina
  2024-09-06  6:42 ` Krzysztof Wilczyński
  0 siblings, 1 reply; 8+ messages in thread
From: Alexandra Diupina @ 2024-09-03 11:58 UTC (permalink / raw)
  To: Xiaowei Song
  Cc: Alexandra Diupina, Binghui Wang, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Mauro Carvalho Chehab, linux-pci, linux-kernel, lvc-project

In kirin_pcie_parse_port() pcie->num_slots is compared to
pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
pcie->num_slots increment lower to avoid out-of-bounds
array access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
 drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
index d5523f302102..deab1e653b9a 100644
--- a/drivers/pci/controller/dwc/pcie-kirin.c
+++ b/drivers/pci/controller/dwc/pcie-kirin.c
@@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
 			if (pcie->gpio_id_reset[i] < 0)
 				continue;
 
-			pcie->num_slots++;
-			if (pcie->num_slots > MAX_PCI_SLOTS) {
+			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
 				dev_err(dev, "Too many PCI slots!\n");
 				ret = -EINVAL;
 				goto put_node;
 			}
+			pcie->num_slots++;
 
 			ret = of_pci_get_devfn(child);
 			if (ret < 0) {
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH] PCI: kirin: Fix buffer overflow
  2024-09-03 11:58 [PATCH] " Alexandra Diupina
@ 2024-09-06  6:42 ` Krzysztof Wilczyński
  0 siblings, 0 replies; 8+ messages in thread
From: Krzysztof Wilczyński @ 2024-09-06  6:42 UTC (permalink / raw)
  To: Alexandra Diupina
  Cc: Xiaowei Song, Binghui Wang, Lorenzo Pieralisi, Rob Herring,
	Bjorn Helgaas, Mauro Carvalho Chehab, linux-pci, linux-kernel,
	lvc-project

Hello,

By the way, this would be v2, technically, but not to worry.

> In kirin_pcie_parse_port() pcie->num_slots is compared to
> pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
> condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
> pcie->num_slots increment lower to avoid out-of-bounds
> array access.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.

Applied to controller/kirin, thank you!

[1/1] PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()
      https://git.kernel.org/pci/pci/c/c500a86693a1

	Krzysztof

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-09-06  6:42 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-12  8:43 [PATCH] PCI: kirin: Fix buffer overflow Alexandra Diupina
2024-07-12  9:07 ` Mauro Carvalho Chehab
2024-07-19 12:21   ` [PATCH v2] " Alexandra Diupina
2024-09-02 14:14     ` Alexandra Diupina
2024-09-02 17:17       ` Krzysztof Wilczyński
2024-09-02 18:29     ` Mauro Carvalho Chehab
  -- strict thread matches above, loose matches on Subject: below --
2024-09-03 11:58 [PATCH] " Alexandra Diupina
2024-09-06  6:42 ` Krzysztof Wilczyński

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox