From: Vinod Koul <vkoul@kernel.org>
To: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Cc: Andy Gross <agross@kernel.org>,
Bjorn Andersson <andersson@kernel.org>,
Konrad Dybcio <konrad.dybcio@linaro.org>,
Bard Liao <yung-chuan.liao@linux.intel.com>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Sanyog Kale <sanyog.r.kale@intel.com>,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
linux-arm-msm@vger.kernel.org, alsa-devel@alsa-project.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel test robot <lkp@intel.com>,
Dan Carpenter <error27@gmail.com>
Subject: Re: [PATCH] soundwire: qcom: fix storing port config out-of-bounds
Date: Wed, 7 Jun 2023 18:40:20 +0530 [thread overview]
Message-ID: <ZICBvP33XyOswWFM@matsya> (raw)
In-Reply-To: <20230601102525.609627-1-krzysztof.kozlowski@linaro.org>
On 01-06-23, 12:25, Krzysztof Kozlowski wrote:
> The 'qcom_swrm_ctrl->pconfig' has size of QCOM_SDW_MAX_PORTS (14),
> however we index it starting from 1, not 0, to match real port numbers.
> This can lead to writing port config past 'pconfig' bounds and
> overwriting next member of 'qcom_swrm_ctrl' struct. Reported also by
> smatch:
>
> drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow 'ctrl->pconfig' 14 <= 14
>
> Fixes: 9916c02ccd74 ("soundwire: qcom: cleanup internal port config indexing")
> Cc: <stable@vger.kernel.org>
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Link: https://lore.kernel.org/r/202305201301.sCJ8UDKV-lkp@intel.com/
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> ---
> drivers/soundwire/qcom.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
> index 7cb1b7eba814..88a772075907 100644
> --- a/drivers/soundwire/qcom.c
> +++ b/drivers/soundwire/qcom.c
> @@ -202,7 +202,8 @@ struct qcom_swrm_ctrl {
> u32 intr_mask;
> u8 rcmd_id;
> u8 wcmd_id;
> - struct qcom_swrm_port_config pconfig[QCOM_SDW_MAX_PORTS];
> + /* Port numbers are 1 - 14 */
> + struct qcom_swrm_port_config pconfig[QCOM_SDW_MAX_PORTS + 1];
Better use SDW_MAX_PORTS ?
> struct sdw_stream_runtime *sruntime[SWRM_MAX_DAIS];
> enum sdw_slave_status status[SDW_MAX_DEVICES + 1];
> int (*reg_read)(struct qcom_swrm_ctrl *ctrl, int reg, u32 *val);
> --
> 2.34.1
--
~Vinod
next prev parent reply other threads:[~2023-06-07 13:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-01 10:25 [PATCH] soundwire: qcom: fix storing port config out-of-bounds Krzysztof Kozlowski
2023-06-01 10:29 ` Konrad Dybcio
2023-06-07 13:10 ` Vinod Koul [this message]
2023-06-07 13:51 ` Krzysztof Kozlowski
2023-06-07 14:51 ` Pierre-Louis Bossart
2023-06-21 11:02 ` Vinod Koul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZICBvP33XyOswWFM@matsya \
--to=vkoul@kernel.org \
--cc=agross@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=andersson@kernel.org \
--cc=error27@gmail.com \
--cc=konrad.dybcio@linaro.org \
--cc=krzysztof.kozlowski@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=sanyog.r.kale@intel.com \
--cc=srinivas.kandagatla@linaro.org \
--cc=stable@vger.kernel.org \
--cc=yung-chuan.liao@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox