From: Cristian Marussi <cristian.marussi@arm.com>
To: Sudeep Holla <sudeep.holla@arm.com>
Cc: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, james.quinlan@broadcom.com,
Jonathan.Cameron@huawei.com, f.fainelli@gmail.com,
etienne.carriere@linaro.org, vincent.guittot@linaro.org,
souvik.chakravarty@arm.com
Subject: Re: [PATCH 04/22] firmware: arm_scmi: Validate BASE_DISCOVER_LIST_PROTOCOLS reply
Date: Thu, 28 Apr 2022 15:03:05 +0100 [thread overview]
Message-ID: <YmqembjBccFV575k@e120937-lin> (raw)
In-Reply-To: <20220428135504.lt3bjq4sz7uktca6@bogus>
On Thu, Apr 28, 2022 at 02:55:04PM +0100, Sudeep Holla wrote:
> On Thu, Apr 28, 2022 at 02:45:07PM +0100, Cristian Marussi wrote:
> > On Thu, Apr 28, 2022 at 11:07:29AM +0100, Sudeep Holla wrote:
> > > On Wed, Mar 30, 2022 at 04:05:33PM +0100, Cristian Marussi wrote:
> > > > Do not blindly trust SCMI backend server reply about list of implemented
> > > > protocols, instead validate the reported length of the list of protocols
> > > > against the real payload size of the message reply.
> > > >
> > > > Fixes: b6f20ff8bd9 ("firmware: arm_scmi: add common infrastructure and support for base protocol")
> > > > Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
> > > > ---
> > > > drivers/firmware/arm_scmi/base.c | 21 +++++++++++++++++++++
> > > > 1 file changed, 21 insertions(+)
> > > >
> > > > diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
> > > > index f279146f8110..c1165d1282ef 100644
> > > > --- a/drivers/firmware/arm_scmi/base.c
> > > > +++ b/drivers/firmware/arm_scmi/base.c
> > > > @@ -189,6 +189,9 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
> > > > list = t->rx.buf + sizeof(*num_ret);
> > > >
> > > > do {
> > > > + size_t real_list_sz;
> > > > + u32 calc_list_sz;
> > > > +
> > > > /* Set the number of protocols to be skipped/already read */
> > > > *num_skip = cpu_to_le32(tot_num_ret);
> > > >
> > > > @@ -202,6 +205,24 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
> > > > break;
> > > > }
> > > >
> > > > + if (t->rx.len < (sizeof(u32) * 2)) {
> > > > + dev_err(dev, "Truncated reply - rx.len:%zd\n",
> > > > + t->rx.len);
> > > > + ret = -EPROTO;
> > > > + break;
> > > > + }
> > > > +
> > > > + real_list_sz = t->rx.len - sizeof(u32);
> > > > + calc_list_sz = ((loop_num_ret / sizeof(u32)) +
> > > > + !!(loop_num_ret % sizeof(u32))) * sizeof(u32);
> > >
> > > Any reason this can't be (loop_num_ret - 1) / sizeof(u32) + 1 ?
> > >
> >
> > At first sight could be fine with your easier version BUT what if loop_num_ret
> > is returned as zero ?
> >
> > real_list_sz should be ZERO length and calc_list_sz
> >
> > im my version:
> >
> > calc_list_sz = ((0/4) +!!(0%4)) * 4 ===>> 0
> >
> > while in the simplified one gets calculated wrong:
> >
> > calc_list_sz = (0-1)/4 + 1 ====> 1
> >
> > ...moreover being both loop_num_ret and calc_list_sz unsigned I am even
> > not so sure about implicit casting messing things up evenm more :D
> >
> > So I sticked to the more convoluted approach :D
> >
> > ....Have I missed something else ?
> >
>
> Right, but shouldn't we break if it 0 much earlier. It must not happen with
> your new logic and even if it does, wouldn't it be better to break earlier ?
>
Fine for me.
Thanks,
Cristian
next prev parent reply other threads:[~2022-04-28 14:04 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-30 15:05 [PATCH 00/22] SCMIv3.1 Miscellaneous changes Cristian Marussi
2022-03-30 15:05 ` [PATCH 01/22] firmware: arm_scmi: Fix sorting of retrieved clock rates Cristian Marussi
2022-03-30 15:05 ` [PATCH 02/22] firmware: arm_scmi: Make protocols init fail on basic errors Cristian Marussi
2022-04-26 15:35 ` Sudeep Holla
2022-04-26 16:25 ` Cristian Marussi
2022-04-28 10:25 ` Sudeep Holla
2022-04-28 12:07 ` Cristian Marussi
2022-03-30 15:05 ` [PATCH 03/22] firmware: arm_scmi: Fix Base list protocols enumeration Cristian Marussi
2022-03-30 15:05 ` [PATCH 04/22] firmware: arm_scmi: Validate BASE_DISCOVER_LIST_PROTOCOLS reply Cristian Marussi
2022-04-28 10:07 ` Sudeep Holla
2022-04-28 13:45 ` Cristian Marussi
2022-04-28 13:55 ` Sudeep Holla
2022-04-28 14:03 ` Cristian Marussi [this message]
2022-03-30 15:05 ` [PATCH 05/22] firmware: arm_scmi: Dynamically allocate protocols array Cristian Marussi
2022-04-28 10:27 ` Sudeep Holla
2022-03-30 15:05 ` [PATCH 06/22] firmware: arm_scmi: Make name_get operations return a const Cristian Marussi
2022-03-30 15:05 ` [PATCH 07/22] firmware: arm_scmi: Check CLOCK_RATE_SET_COMPLETE async reply Cristian Marussi
2022-03-30 15:05 ` [PATCH 08/22] firmware: arm_scmi: Remove unneeded NULL termination of clk name Cristian Marussi
2022-03-30 15:05 ` [PATCH 09/22] firmware: arm_scmi: Split protocol specific definitions in a dedicated header Cristian Marussi
2022-03-30 15:05 ` [PATCH 10/22] firmware: arm_scmi: Introduce a common SCMIv3.1 .extended_name_get helper Cristian Marussi
2022-03-30 15:05 ` [PATCH 11/22] firmware: arm_scmi: Add SCMIv3.1 extended names protocols support Cristian Marussi
2022-06-15 3:45 ` Florian Fainelli
2022-06-15 8:17 ` Cristian Marussi
2022-06-15 9:40 ` Cristian Marussi
2022-06-15 16:10 ` Florian Fainelli
2022-06-15 16:29 ` Cristian Marussi
2022-06-15 17:19 ` Florian Fainelli
2022-06-15 17:32 ` Cristian Marussi
2022-06-15 22:58 ` Florian Fainelli
2022-03-30 15:05 ` [PATCH 12/22] firmware: arm_scmi: Parse clock_enable_latency conditionally Cristian Marussi
2022-03-30 15:05 ` [PATCH 13/22] firmware: arm_scmi: Add iterators for multi-part commands Cristian Marussi
2022-03-30 15:05 ` [PATCH 14/22] firmware: arm_scmi: Use common iterators in Sensor protocol Cristian Marussi
2022-03-30 15:05 ` [PATCH 15/22] firmware: arm_scmi: Add SCMIv3.1 SENSOR_AXIS_NAME_GET support Cristian Marussi
2022-06-02 14:25 ` Peter Hilber
2022-06-06 8:18 ` Cristian Marussi
2022-06-08 8:40 ` Peter Hilber
2022-06-08 8:49 ` Cristian Marussi
2022-03-30 15:05 ` [PATCH 16/22] firmware: arm_scmi: Use common iterators in Clock protocol Cristian Marussi
2022-03-30 15:05 ` [PATCH 17/22] firmware: arm_scmi: Use common iterators in Voltage protocol Cristian Marussi
2022-03-30 15:05 ` [PATCH 18/22] firmware: arm_scmi: Use common iterators in Perf protocol Cristian Marussi
2022-03-30 15:05 ` [PATCH 19/22] firmware: arm_scmi: Add SCMIv3.1 Clock notifications Cristian Marussi
2022-03-30 15:05 ` [PATCH 20/22] firmware: arm_scmi: Add SCMIv3.1 VOLTAGE_LEVEL_SET_COMPLETE Cristian Marussi
2022-03-30 15:05 ` [PATCH 21/22] firmware: arm_scmi: Add SCMI v3.1 Perf power-cost in microwatts Cristian Marussi
2022-03-30 16:46 ` Lukasz Luba
2022-03-30 15:05 ` [PATCH 22/22] firmware: arm_scmi: Add SCMIv3.1 PERFORMANCE_LIMITS_SET checks Cristian Marussi
2022-04-28 13:13 ` Sudeep Holla
2022-04-28 13:49 ` Cristian Marussi
2022-04-28 13:52 ` Sudeep Holla
2022-04-28 13:46 ` [PATCH 00/22] SCMIv3.1 Miscellaneous changes Sudeep Holla
2022-05-03 8:03 ` Sudeep Holla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YmqembjBccFV575k@e120937-lin \
--to=cristian.marussi@arm.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=etienne.carriere@linaro.org \
--cc=f.fainelli@gmail.com \
--cc=james.quinlan@broadcom.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=souvik.chakravarty@arm.com \
--cc=sudeep.holla@arm.com \
--cc=vincent.guittot@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox