From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>,
Dan Williams <dan.j.williams@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.19 06/36] tools/testing/nvdimm: Fix the array size for dimm devices.
Date: Thu, 22 Nov 2018 14:52:10 -0500 [thread overview]
Message-ID: <20181122195240.13123-6-sashal@kernel.org> (raw)
In-Reply-To: <20181122195240.13123-1-sashal@kernel.org>
From: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
[ Upstream commit af31b04b67f4fd7f639fd465a507c154c46fc9fb ]
KASAN reports following global out of bounds access while
nfit_test is being loaded. The out of bound access happens
the following reference to dimm_fail_cmd_flags[dimm]. 'dimm' is
over than the index value, NUM_DCR (==5).
static int override_return_code(int dimm, unsigned int func, int rc)
{
if ((1 << func) & dimm_fail_cmd_flags[dimm]) {
dimm_fail_cmd_flags[] definition:
static unsigned long dimm_fail_cmd_flags[NUM_DCR];
'dimm' is the return value of get_dimm(), and get_dimm() returns
the index of handle[] array. The handle[] has 7 index. Let's use
ARRAY_SIZE(handle) as the array size.
KASAN report:
==================================================================
BUG: KASAN: global-out-of-bounds in nfit_test_ctl+0x47bb/0x55b0 [nfit_test]
Read of size 8 at addr ffffffffc10cbbe8 by task kworker/u41:0/8
...
Call Trace:
dump_stack+0xea/0x1b0
? dump_stack_print_info.cold.0+0x1b/0x1b
? kmsg_dump_rewind_nolock+0xd9/0xd9
print_address_description+0x65/0x22e
? nfit_test_ctl+0x47bb/0x55b0 [nfit_test]
kasan_report.cold.6+0x92/0x1a6
nfit_test_ctl+0x47bb/0x55b0 [nfit_test]
...
The buggy address belongs to the variable:
dimm_fail_cmd_flags+0x28/0xffffffffffffa440 [nfit_test]
==================================================================
Fixes: 39611e83a28c ("tools/testing/nvdimm: Make DSM failure code injection...")
Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/nvdimm/test/nfit.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
index cffc2c5a778d..ec50d2a95076 100644
--- a/tools/testing/nvdimm/test/nfit.c
+++ b/tools/testing/nvdimm/test/nfit.c
@@ -139,8 +139,8 @@ static u32 handle[] = {
[6] = NFIT_DIMM_HANDLE(1, 0, 0, 0, 1),
};
-static unsigned long dimm_fail_cmd_flags[NUM_DCR];
-static int dimm_fail_cmd_code[NUM_DCR];
+static unsigned long dimm_fail_cmd_flags[ARRAY_SIZE(handle)];
+static int dimm_fail_cmd_code[ARRAY_SIZE(handle)];
static const struct nd_intel_smart smart_def = {
.flags = ND_INTEL_SMART_HEALTH_VALID
@@ -203,7 +203,7 @@ struct nfit_test {
unsigned long deadline;
spinlock_t lock;
} ars_state;
- struct device *dimm_dev[NUM_DCR];
+ struct device *dimm_dev[ARRAY_SIZE(handle)];
struct nd_intel_smart *smart;
struct nd_intel_smart_threshold *smart_threshold;
struct badrange badrange;
@@ -2678,7 +2678,7 @@ static int nfit_test_probe(struct platform_device *pdev)
u32 nfit_handle = __to_nfit_memdev(nfit_mem)->device_handle;
int i;
- for (i = 0; i < NUM_DCR; i++)
+ for (i = 0; i < ARRAY_SIZE(handle); i++)
if (nfit_handle == handle[i])
dev_set_drvdata(nfit_test->dimm_dev[i],
nfit_mem);
--
2.17.1
next prev parent reply other threads:[~2018-11-22 19:52 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-22 19:52 [PATCH AUTOSEL 4.19 01/36] pinctrl: meson: fix pinconf bias disable Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 02/36] pinctrl: meson: fix gxbb ao pull register bits Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 03/36] pinctrl: meson: fix gxl " Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 04/36] pinctrl: meson: fix meson8 " Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 05/36] pinctrl: meson: fix meson8b " Sasha Levin
2018-11-22 19:52 ` Sasha Levin [this message]
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 07/36] scsi: lpfc: fix remoteport access Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 08/36] scsi: hisi_sas: Remove set but not used variable 'dq_list' Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 09/36] scsi: NCR5380: Return false instead of NULL Sasha Levin
2018-11-22 21:49 ` Finn Thain
2018-11-23 11:27 ` Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 10/36] KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 11/36] cpufreq: imx6q: add return value check for voltage scale Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 12/36] rtc: cmos: Do not export alarm rtc_ops when we do not support alarms Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 13/36] rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 14/36] crypto: simd - correctly take reqsize of wrapped skcipher into account Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 15/36] floppy: fix race condition in __floppy_read_block_0() Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 16/36] powerpc/io: Fix the IO workarounds code to work with Radix Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 17/36] sched/fair: Fix cpu_util_wake() for 'execl' type workloads Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 18/36] perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 19/36] ARM: make lookup_processor_type() non-__init Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 20/36] ARM: split out processor lookup Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 21/36] ARM: clean up per-processor check_bugs method call Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 22/36] ARM: add PROC_VTABLE and PROC_TABLE macros Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 23/36] ARM: spectre-v2: per-CPU vtables to work around big.Little systems Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 24/36] block: copy ioprio in __bio_clone_fast() and bounce Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 25/36] SUNRPC: Fix a bogus get/put in generic_key_to_expire() Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 26/36] riscv: add missing vdso_install target Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 27/36] RISC-V: Silence some module warnings on 32-bit Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 28/36] drm/amdgpu: fix bug with IH ring setup Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 29/36] kdb: Use strscpy with destination buffer size Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 30/36] NFSv4: Fix an Oops during delegation callbacks Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 31/36] powerpc/numa: Suppress "VPHN is not supported" messages Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 32/36] efi/arm: Revert deferred unmap of early memmap mapping Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 33/36] z3fold: fix possible reclaim races Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 34/36] mm, memory_hotplug: check zone_movable in has_unmovable_pages Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 35/36] tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset Sasha Levin
2018-11-22 19:52 ` [PATCH AUTOSEL 4.19 36/36] mm, page_alloc: check for max order in hot path Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181122195240.13123-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=m.mizuma@jp.fujitsu.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox