From: Dan Carpenter <error27@gmail.com>
To: Grant Grundler <grundler@parisc-linux.org>
Cc: Kyle McMartin <kyle@mcmartin.ca>, netdev@vger.kernel.org
Subject: Re: potential overflow in de4x5.c
Date: Thu, 7 Jan 2010 18:40:07 +0300 [thread overview]
Message-ID: <20100107154007.GE8134@bicker> (raw)
In-Reply-To: <20100104073514.GA987@lackof.org>
On Mon, Jan 04, 2010 at 12:35:14AM -0700, Grant Grundler wrote:
> On Mon, Jan 04, 2010 at 12:28:44AM -0700, Grant Grundler wrote:
> > On Sun, Jan 03, 2010 at 12:13:56PM +0200, Dan Carpenter wrote:
> > > Hi I found this using smatch (http://repo.or.cz/w/smatch.git).
> > >
> > > drivers/net/tulip/de4x5.c
> > > 4772 lp->active = *p++;
> > > 4773 if (MOTO_SROM_BUG) lp->active = 0;
> > > 4774 lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
> > >
> > > lp->phy is an array of size 8.
> > >
> > > MOTO_SROM_BUG is defined like this.
> > >
> > > #define MOTO_SROM_BUG (lp->active == 8 && (get_unaligned_le32(dev->dev_addr) & 0x00ffffff) == 0x3e0008)
> > >
> > > If lp->active == 8 then we have a buffer overflow.
> >
> > Dan,
> > When does the overflow actually occur?
> >
You may be right that it can't happen in real life but from reading
the code without access to the hardware, it looks like it would happen on
line 4774 quoted above.
> > That code is reseting the value to work around a specific SROM bug:
> > http://lists.ozlabs.org/pipermail/linuxppc-dev/1999-March/001421.html
> >
> > If you want to make the "input validation" more robust, that would be fine with me.
> > But smatch hasn't convinced me there is a bug here.
>
Basically the MOTO_SROM_BUG macro is asking: Do we have an array overflow
and a hardware bug? If so we had better do something about the hardware
bug. It sounds silly to me.
> BTW, someone suggested to fix up this same bit of code before:
> http://www.mail-archive.com/netdev@vger.kernel.org/msg09838.html
>
> And I'm not sure why that patch wasn't accepted then either. Patch looks fine to me.
>
Someone has updated the code since he posted the patch, presumably to fix
the second overflow he mentioned.
There is still another one left unfixed though which smatch misses.
5073 if ((j == limit) && (i < DE4X5_MAX_MII)) {
5074 for (k=0; k < DE4X5_MAX_PHY && lp->phy[k].id; k++);
5075 lp->phy[k].addr = i;
k could be == DE4X5_MAX_PHY on line 5075.
regards,
dan carpenter
> thanks,
> grant
next prev parent reply other threads:[~2010-01-07 15:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-03 10:13 potential overflow in de4x5.c Dan Carpenter
2010-01-04 7:28 ` Grant Grundler
2010-01-04 7:35 ` Grant Grundler
2010-01-07 15:40 ` Dan Carpenter [this message]
2010-01-13 4:31 ` Grant Grundler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100107154007.GE8134@bicker \
--to=error27@gmail.com \
--cc=grundler@parisc-linux.org \
--cc=kyle@mcmartin.ca \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).