[PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
@ 2019-02-13  8:23 Dan Carpenter
  2019-02-13 13:13 ` Vivien Didelot
  2019-02-14  6:13 ` David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2019-02-13  8:23 UTC (permalink / raw)
  To: Andrew Lunn, Florian Fainelli
  Cc: Vivien Didelot, David S. Miller, netdev, kernel-janitors

The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
array is allocated in dsa_switch_alloc() and it has ds->num_ports
elements so this leads to a static checker warning about a potential out
of bounds read.

Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/dsa/bcm_sf2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index 5193da67dcdc..98696a88fa1c 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -690,7 +690,7 @@ static int bcm_sf2_sw_suspend(struct dsa_switch *ds)
 	 * port, the other ones have already been disabled during
 	 * bcm_sf2_sw_setup
 	 */
-	for (port = 0; port < DSA_MAX_PORTS; port++) {
+	for (port = 0; port < ds->num_ports; port++) {
 		if (dsa_is_user_port(ds, port) || dsa_is_cpu_port(ds, port))
 			bcm_sf2_port_disable(ds, port, NULL);
 	}
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
  2019-02-13  8:23 [PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() Dan Carpenter
@ 2019-02-13 13:13 ` Vivien Didelot
  2019-02-14  6:13 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: Vivien Didelot @ 2019-02-13 13:13 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Andrew Lunn, Florian Fainelli, David S. Miller, netdev,
	kernel-janitors

On Wed, 13 Feb 2019 11:23:04 +0300, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
> than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
> the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
> array is allocated in dsa_switch_alloc() and it has ds->num_ports
> elements so this leads to a static checker warning about a potential out
> of bounds read.
> 
> Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
  2019-02-13  8:23 [PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() Dan Carpenter
  2019-02-13 13:13 ` Vivien Didelot
@ 2019-02-14  6:13 ` David Miller
  2019-02-15  0:31   ` Florian Fainelli
  1 sibling, 1 reply; 4+ messages in thread
From: David Miller @ 2019-02-14  6:13 UTC (permalink / raw)
  To: dan.carpenter; +Cc: andrew, f.fainelli, vivien.didelot, netdev, kernel-janitors

From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 13 Feb 2019 11:23:04 +0300

> The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
> than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
> the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
> array is allocated in dsa_switch_alloc() and it has ds->num_ports
> elements so this leads to a static checker warning about a potential out
> of bounds read.
> 
> Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
  2019-02-14  6:13 ` David Miller
@ 2019-02-15  0:31   ` Florian Fainelli
  0 siblings, 0 replies; 4+ messages in thread
From: Florian Fainelli @ 2019-02-15  0:31 UTC (permalink / raw)
  To: David Miller, dan.carpenter
  Cc: andrew, vivien.didelot, netdev, kernel-janitors

On 2/13/19 10:13 PM, David Miller wrote:
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Date: Wed, 13 Feb 2019 11:23:04 +0300
> 
>> The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
>> than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
>> the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
>> array is allocated in dsa_switch_alloc() and it has ds->num_ports
>> elements so this leads to a static checker warning about a potential out
>> of bounds read.

This would not happen here because bcm_sf2 calls b53_switch_alloc()
which does allocate the full port range (not for a good reason), but
it's good to fix that anyways.

>>
>> Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Applied.
> 


-- 
Florian

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-02-15  0:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-13  8:23 [PATCH net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() Dan Carpenter
2019-02-13 13:13 ` Vivien Didelot
2019-02-14  6:13 ` David Miller
2019-02-15  0:31   ` Florian Fainelli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).