From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751848AbcFWJXc (ORCPT ); Thu, 23 Jun 2016 05:23:32 -0400 Received: from mout.kundenserver.de ([217.72.192.73]:64453 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751504AbcFWJX3 (ORCPT ); Thu, 23 Jun 2016 05:23:29 -0400 From: Arnd Bergmann To: Geert Uytterhoeven Cc: Tomi Valkeinen , Jean-Christophe Plagniol-Villard , Ingo Molnar , "Luis R. Rodriguez" , Borislav Petkov , Linux Fbdev development list , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] fbdev: atyfb: fix array overflow Date: Thu, 23 Jun 2016 11:22:20 +0200 Message-ID: <4371798.3NSA9GRDBu@wuerfel> User-Agent: KMail/5.1.3 (Linux/4.4.0-22-generic; KDE/5.18.0; x86_64; ; ) In-Reply-To: References: <20160622123822.1262383-1-arnd@arndb.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Provags-ID: V03:K0:xDkXAj+Yjh+wod9Ds7qU0w6mwDzdZ64WGq7AiBSytc63D5D29Go IW3Q8tUwzm5IjBdFrflCys+ADYVqEvD+uJXclDlprCB14C2FG1YF5e0WFgmsY61YPmR5WqF Rn8ZWzrVr8Q8HyXEKYWQ6Ew1Ik43SgAa5W8dpFZTrXbuJk3s1Yvyz0JDhr999DvQtnmoovM yJWzPUCCTavC8VlvybVSg== X-UI-Out-Filterresults: notjunk:1;V01:K0:9xt11K3c1lQ=:B+NJzUgHXkb+cc43JoXAJi zDeRWWQ4i44XC2tO9MAerMeugdzdFyxIXkuAgn5puDJ+sT2g6bYU9H33Mh80CbiEGlRCuvkM4 U+xOs/cAmEMkajGNXaQZGTiawLrCTZNkNNnoNTv3zEVKieAJ56Wyl7tY0D2e+0RWo5iqnQ+If UvIDBtTM+eDmx5qzk6JZGz3W0Xt7jN2eWhjotWxn4bz9hNab2AKSflVdH9uyQL5o5xWwTaY9u Ah+xnQlPuF5nRPbWFzb0YsFXrLwlD6P5HiECunze4+JEBcOZs9zoNGD6CJuAi+eiBZGhB7af5 f/3NZNHh7PkkxknJlsOvaElU2+zm4qHjCm65+GC6bkFp8strXaHScXA81//Dcm9TURbCa/N2S k2UiiewRxmjy+cDopxU0uv+8BsG2Nz0+bFf7h76cuJGxZ41Whrtzl4IyRyMQgHRgVVbHbBoDp 3usk2IVRcqydheCTfxBIdHvG/4YnjRwA0jo7qvpDbml5rQrYkngtz+8mkr2YvwZTR4e7iyLpj +ABGmw/j6y/2YjA/QXi+2RU6ZbCEE4XOQj/xoa5eiGdDIjQ/nkOshPZEH54o74Z+q8CxW5xm2 zGWc+hOHAQxljnU8cg3P/yllq52Arg2YQzUGUrOG6zIIq88mI11rDL6mVY9v0BC9/TD5a0ZPV XAiL7e6b9z377ebTRbjeFQ6rUme3N0n8KMLxf1rYPc+2eSJtdWrwDoVk2+pvFNquKgCH6y97z VEx4qdQhi2Csw3uZ Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, June 23, 2016 10:50:04 AM CEST Geert Uytterhoeven wrote: > Hi Arnd, > > On Wed, Jun 22, 2016 at 2:37 PM, Arnd Bergmann wrote: > > When building with CONFIG_UBSAN_SANITIZE_ALL on ARM, I get this > > gcc warning for atyfb: > > > > drivers/video/fbdev/aty/atyfb_base.c: In function 'aty_bl_update_status': > > drivers/video/fbdev/aty/atyfb_base.c:167:33: warning: array subscript is above array bounds [-Warray-bounds] > > drivers/video/fbdev/aty/atyfb_base.c:152:26: warning: array subscript is above array bounds [-Warray-bounds] > > > > Apparently the warning is correct and there is indeed an overflow, > > which was never caught. I could only reproduce this on ARM and > > have opened a bug against the compiler for the lack of warning. > > > > This patch makes the array larger, so we cover all possible > > registers in the LCD controller without an overflow. > > > > Signed-off-by: Arnd Bergmann > > Link: https://bugs.linaro.org/show_bug.cgi?id=2349 > > --- > > drivers/video/fbdev/aty/atyfb_base.c | 2 +- > > include/video/mach64.h | 1 + > > 2 files changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c > > index 001d3d871800..36ffba152eab 100644 > > --- a/drivers/video/fbdev/aty/atyfb_base.c > > +++ b/drivers/video/fbdev/aty/atyfb_base.c > > @@ -134,7 +134,7 @@ > > > > #if defined(CONFIG_PM) || defined(CONFIG_PMAC_BACKLIGHT) || \ > > defined (CONFIG_FB_ATY_GENERIC_LCD) || defined(CONFIG_FB_ATY_BACKLIGHT) > > -static const u32 lt_lcd_regs[] = { > > +static const u32 lt_lcd_regs[LCD_REG_NUM] = { > > CNFG_PANEL_LG, > > LCD_GEN_CNTL_LG, > > DSTN_CONTROL_LG, > > diff --git a/include/video/mach64.h b/include/video/mach64.h > > index 89e91c0cb737..9f74e9e0aeb8 100644 > > --- a/include/video/mach64.h > > +++ b/include/video/mach64.h > > @@ -1299,6 +1299,7 @@ > > #define APC_LUT_KL 0x38 > > #define APC_LUT_MN 0x39 > > #define APC_LUT_OP 0x3A > > +#define LCD_REG_NUM 0x3B /* total number */ > > > > /* Values in LCD_GEN_CTRL */ > > #define CRT_ON 0x00000001ul > > This doesn't look like the right fix to me. > > Before, aty_st_lcd(LCD_MISC_CNTL, reg, par) in aty_bl_update_status() > wrote into an arbitrary register. > With your fix, it will write to register 0, which is IMHO also not OK. Ok, I see now. I thought it array was for initializing the registers and caching the contents as some other drivers do it, but it's really used for some indirect addressing method. > I think aty_st_lcd() and aty_ld_lcd() should check whether the index is > out of range, perhaps even with a WARN_ON()? Just guessing what the right behavior would be, maybe something like this? That would assume that the LCD_MISC_CNTL is accessible through LCD_INDEX/LCD_DATA but not through a direct register. Arnd diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c index 36ffba152eab..c67d4b767e9a 100644 --- a/drivers/video/fbdev/aty/atyfb_base.c +++ b/drivers/video/fbdev/aty/atyfb_base.c @@ -148,7 +148,7 @@ static const u32 lt_lcd_regs[LCD_REG_NUM] = { void aty_st_lcd(int index, u32 val, const struct atyfb_par *par) { - if (M64_HAS(LT_LCD_REGS)) { + if (M64_HAS(LT_LCD_REGS) && index < ARRAY_SIZE(lt_lcd_regs)) { aty_st_le32(lt_lcd_regs[index], val, par); } else { unsigned long temp; @@ -163,7 +163,7 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par *par) u32 aty_ld_lcd(int index, const struct atyfb_par *par) { - if (M64_HAS(LT_LCD_REGS)) { + if (M64_HAS(LT_LCD_REGS) && index < ARRAY_SIZE(lt_lcd_regs)) { return aty_ld_le32(lt_lcd_regs[index], par); } else { unsigned long temp;