Re: [PATCH 2/2] mmc core block.c: avoid negative index with array access

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Avri Altman <Avri.Altman@wdc.com>
Cc: "linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
	Ulf Hansson <ulf.hansson@linaro.org>,
	Adrian Hunter <adrian.hunter@intel.com>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: [PATCH 2/2] mmc core block.c: avoid negative index with array access
Date: Wed, 13 Mar 2024 16:18:23 +0200	[thread overview]
Message-ID: <ZfG1r9jmxBKPkmcd@nuoska> (raw)
In-Reply-To: <DM6PR04MB65753CE63956185656CB7580FC2A2@DM6PR04MB6575.namprd04.prod.outlook.com>

On Wed, Mar 13, 2024 at 02:12:52PM +0000, Avri Altman wrote:
> > -----Original Message-----
> > From: mikko.rapeli@linaro.org <mikko.rapeli@linaro.org>
> > Sent: Wednesday, March 13, 2024 3:38 PM
> > To: linux-mmc@vger.kernel.org
> > Cc: Mikko Rapeli <mikko.rapeli@linaro.org>; Avri Altman
> > <Avri.Altman@wdc.com>; Ulf Hansson <ulf.hansson@linaro.org>; Adrian Hunter
> > <adrian.hunter@intel.com>; stable@vger.kernel.org
> > Subject: [PATCH 2/2] mmc core block.c: avoid negative index with array access
> > 
> > CAUTION: This email originated from outside of Western Digital. Do not click
> > on links or open attachments unless you recognize the sender and know that the
> > content is safe.
> > 
> > 
> > From: Mikko Rapeli <mikko.rapeli@linaro.org>
> > 
> > Commit "mmc: core: Use mrq.sbc in close-ended ffu" assigns prev_idata =
> > idatas[i - 1] but doesn't check that int iterator i is greater than zero. Add the
> > check.
> I don't think this is even possible given 1/2.

With RPMB ioctl:

        case MMC_DRV_OP_IOCTL_RPMB:
                idata = mq_rq->drv_op_data;
                for (i = 0, ret = 0; i < mq_rq->ioc_count; i++) {
                        ret = __mmc_blk_ioctl_cmd(card, md, idata, i);
                        if (ret)
                                break;
                }

First call is with i = 0?

Cheers,

-Mikko

> Thanks,
> Avri
> 
> > 
> > Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu")
> > 
> > Link: https://lore.kernel.org/all/20231129092535.3278-1-
> > avri.altman@wdc.com/
> > 
> > Cc: Avri Altman <avri.altman@wdc.com>
> > Cc: Ulf Hansson <ulf.hansson@linaro.org>
> > Cc: Adrian Hunter <adrian.hunter@intel.com>
> > Cc: linux-mmc@vger.kernel.org
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > ---
> >  drivers/mmc/core/block.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index
> > 0df627de9cee..7f275b4ca9fa 100644
> > --- a/drivers/mmc/core/block.c
> > +++ b/drivers/mmc/core/block.c
> > @@ -488,7 +488,7 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card
> > *card, struct mmc_blk_data *md,
> >         if (idata->flags & MMC_BLK_IOC_DROP)
> >                 return 0;
> > 
> > -       if (idata->flags & MMC_BLK_IOC_SBC)
> > +       if (idata->flags & MMC_BLK_IOC_SBC && i > 0)
> >                 prev_idata = idatas[i - 1];
> > 
> >         /*
> > --
> > 2.34.1
>

next prev parent reply	other threads:[~2024-03-13 14:18 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-13 13:37 [PATCH 1/2] mmc core block.c: initialize mmc_blk_ioc_data mikko.rapeli
2024-03-13 13:37 ` [PATCH 2/2] mmc core block.c: avoid negative index with array access mikko.rapeli
2024-03-13 14:12   ` Avri Altman
2024-03-13 14:18     ` Mikko Rapeli [this message]
2024-03-13 14:24       ` Avri Altman
2024-03-24 16:17   ` Francesco Dolcini
2024-03-24 18:51     ` Avri Altman
2024-03-24 19:24       ` Francesco Dolcini
2024-03-25  9:31   ` Francesco Dolcini
2024-03-13 14:11 ` [PATCH 1/2] mmc core block.c: initialize mmc_blk_ioc_data Avri Altman
2024-03-13 14:23 ` Adrian Hunter
2024-03-25  9:30   ` Francesco Dolcini
2024-03-25 13:18 ` Ulf Hansson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZfG1r9jmxBKPkmcd@nuoska \
    --to=mikko.rapeli@linaro.org \
    --cc=Avri.Altman@wdc.com \
    --cc=adrian.hunter@intel.com \
    --cc=linux-mmc@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=ulf.hansson@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox