This patchset aims to fix an out-of-bounds bug in
the phy-ocelot-serdes driver.
Currently, there is an out-of-bounds read on array ctrl->phys,
once variable i reaches the maximum array size of SERDES_MAX
in the for loop.
Quentin Schulz pointed out that SERDES_MAX is a valid value to
index ctrl->phys. So, I updated SERDES_MAX to be SERDES6G_MAX + 1
in include/dt-bindings/phy/phy-ocelot-serdes.h.
Then I changed the condition in the for loop from
i <= SERDES_MAX to i < SERDES_MAX in order to
complete the fix.
The reason I'm sending this fix as series is because
checkpatch reported an error when I first tried to
integrate the whole solution into a singe patch. So,
changes to dt-bindings should be sent as a separate
patch.
Thanks
Gustavo A. R. Silva (2):
dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1
phy: ocelot-serdes: fix out-of-bounds read
drivers/phy/mscc/phy-ocelot-serdes.c | 4 ++--
include/dt-bindings/phy/phy-ocelot-serdes.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
--
2.7.4
Currently, there is an out-of-bounds read on array ctrl->phys,
once variable i reaches the maximum array size of SERDES_MAX
in the for loop.
Fix this by changing the condition in the for loop from
i <= SERDES_MAX to i < SERDES_MAX.
Addresses-Coverity-ID: 1473966 ("Out-of-bounds read")
Addresses-Coverity-ID: 1473959 ("Out-of-bounds read")
Fixes: 51f6b410fc22 ("phy: add driver for Microsemi Ocelot SerDes muxing")
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
drivers/phy/mscc/phy-ocelot-serdes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/phy/mscc/phy-ocelot-serdes.c b/drivers/phy/mscc/phy-ocelot-serdes.c
index 8936abd..c4eee3a 100644
--- a/drivers/phy/mscc/phy-ocelot-serdes.c
+++ b/drivers/phy/mscc/phy-ocelot-serdes.c
@@ -206,7 +206,7 @@ static struct phy *serdes_simple_xlate(struct device *dev,
port = args->args[0];
idx = args->args[1];
- for (i = 0; i <= SERDES_MAX; i++) {
+ for (i = 0; i < SERDES_MAX; i++) {
struct serdes_macro *macro = phy_get_drvdata(ctrl->phys[i]);
if (idx != macro->idx)
@@ -260,7 +260,7 @@ static int serdes_probe(struct platform_device *pdev)
if (!ctrl->regs)
return -ENODEV;
- for (i = 0; i <= SERDES_MAX; i++) {
+ for (i = 0; i < SERDES_MAX; i++) {
ret = serdes_phy_create(ctrl, i, &ctrl->phys[i]);
if (ret)
return ret;
--
2.7.4
SERDES_MAX is a valid value to index ctrl->phys in
drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
there is an out-of-bounds bug in the mentioned driver
when reading from ctrl->phys, because the size of
array ctrl->phys is SERDES_MAX.
Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
Notice that this is the first part of the solution to
the out-of-bounds bug mentioned above. Although this
change is not dependent on any other one.
Suggested-by: Quentin Schulz <[email protected]>
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
include/dt-bindings/phy/phy-ocelot-serdes.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/dt-bindings/phy/phy-ocelot-serdes.h b/include/dt-bindings/phy/phy-ocelot-serdes.h
index bd28f21..fe70ada 100644
--- a/include/dt-bindings/phy/phy-ocelot-serdes.h
+++ b/include/dt-bindings/phy/phy-ocelot-serdes.h
@@ -7,6 +7,6 @@
#define SERDES1G_MAX SERDES1G(5)
#define SERDES6G(x) (SERDES1G_MAX + 1 + (x))
#define SERDES6G_MAX SERDES6G(2)
-#define SERDES_MAX SERDES6G_MAX
+#define SERDES_MAX (SERDES6G_MAX + 1)
#endif
--
2.7.4
Hi Gustavo,
On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
> SERDES_MAX is a valid value to index ctrl->phys in
> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
> there is an out-of-bounds bug in the mentioned driver
> when reading from ctrl->phys, because the size of
> array ctrl->phys is SERDES_MAX.
>
> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
>
> Notice that this is the first part of the solution to
> the out-of-bounds bug mentioned above. Although this
> change is not dependent on any other one.
>
Reviewed-by: Quentin Schulz <[email protected]>
Thanks,
Quentin
Hi Gustavo,
On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
> Currently, there is an out-of-bounds read on array ctrl->phys,
> once variable i reaches the maximum array size of SERDES_MAX
> in the for loop.
>
> Fix this by changing the condition in the for loop from
> i <= SERDES_MAX to i < SERDES_MAX.
>
Reviewed-by: Quentin Schulz <[email protected]>
Thanks,
Quentin
Hi Gustavo,
On Tue, Oct 09, 2018 at 12:20:28AM +0200, Gustavo A. R. Silva wrote:
> This patchset aims to fix an out-of-bounds bug in
> the phy-ocelot-serdes driver.
>
> Currently, there is an out-of-bounds read on array ctrl->phys,
> once variable i reaches the maximum array size of SERDES_MAX
> in the for loop.
>
> Quentin Schulz pointed out that SERDES_MAX is a valid value to
> index ctrl->phys. So, I updated SERDES_MAX to be SERDES6G_MAX + 1
> in include/dt-bindings/phy/phy-ocelot-serdes.h.
>
> Then I changed the condition in the for loop from
> i <= SERDES_MAX to i < SERDES_MAX in order to
> complete the fix.
>
> The reason I'm sending this fix as series is because
> checkpatch reported an error when I first tried to
> integrate the whole solution into a singe patch. So,
> changes to dt-bindings should be sent as a separate
> patch.
>
Much appreciated, thank you!
Quentin
On 10/9/18 9:28 AM, Quentin Schulz wrote:
> Hi Gustavo,
>
> On Tue, Oct 09, 2018 at 12:20:28AM +0200, Gustavo A. R. Silva wrote:
>> This patchset aims to fix an out-of-bounds bug in
>> the phy-ocelot-serdes driver.
>>
>> Currently, there is an out-of-bounds read on array ctrl->phys,
>> once variable i reaches the maximum array size of SERDES_MAX
>> in the for loop.
>>
>> Quentin Schulz pointed out that SERDES_MAX is a valid value to
>> index ctrl->phys. So, I updated SERDES_MAX to be SERDES6G_MAX + 1
>> in include/dt-bindings/phy/phy-ocelot-serdes.h.
>>
>> Then I changed the condition in the for loop from
>> i <= SERDES_MAX to i < SERDES_MAX in order to
>> complete the fix.
>>
>> The reason I'm sending this fix as series is because
>> checkpatch reported an error when I first tried to
>> integrate the whole solution into a singe patch. So,
>> changes to dt-bindings should be sent as a separate
>> patch.
>>
>
> Much appreciated, thank you!
>
Glad to help. :)
Thanks
--
Gustavo
Hi,
On 10/9/18 9:27 AM, Quentin Schulz wrote:
> Hi Gustavo,
>
> On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
>> SERDES_MAX is a valid value to index ctrl->phys in
>> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
>> there is an out-of-bounds bug in the mentioned driver
>> when reading from ctrl->phys, because the size of
>> array ctrl->phys is SERDES_MAX.
>>
>> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
>>
>> Notice that this is the first part of the solution to
>> the out-of-bounds bug mentioned above. Although this
>> change is not dependent on any other one.
>>
>
> Reviewed-by: Quentin Schulz <[email protected]>
>
Friendly ping. Who can you take this?
Thanks!
--
Gustavo
Hi,
On Tuesday 16 October 2018 02:16 PM, Gustavo A. R. Silva wrote:
> Hi,
>
> On 10/9/18 9:28 AM, Quentin Schulz wrote:
>> Hi Gustavo,
>>
>> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>>> Currently, there is an out-of-bounds read on array ctrl->phys,
>>> once variable i reaches the maximum array size of SERDES_MAX
>>> in the for loop.
>>>
>>> Fix this by changing the condition in the for loop from
>>> i <= SERDES_MAX to i < SERDES_MAX.
>>>
>>
>> Reviewed-by: Quentin Schulz <[email protected]>
>>
>
> Friendly ping. Who can you take this?
This can go during the 4.20 -rc cycle.
Thanks
Kishon
Hi,
On 10/9/18 9:28 AM, Quentin Schulz wrote:
> Hi Gustavo,
>
> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>> Currently, there is an out-of-bounds read on array ctrl->phys,
>> once variable i reaches the maximum array size of SERDES_MAX
>> in the for loop.
>>
>> Fix this by changing the condition in the for loop from
>> i <= SERDES_MAX to i < SERDES_MAX.
>>
>
> Reviewed-by: Quentin Schulz <[email protected]>
>
Friendly ping. Who can you take this?
Thanks!
--
Gustavo
On Tue, Oct 16, 2018 at 10:44:52AM +0200, Gustavo A. R. Silva wrote:
> Hi,
>
> On 10/9/18 9:27 AM, Quentin Schulz wrote:
> > Hi Gustavo,
> >
> > On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
> >> SERDES_MAX is a valid value to index ctrl->phys in
> >> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
> >> there is an out-of-bounds bug in the mentioned driver
> >> when reading from ctrl->phys, because the size of
> >> array ctrl->phys is SERDES_MAX.
> >>
> >> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
> >>
> >> Notice that this is the first part of the solution to
> >> the out-of-bounds bug mentioned above. Although this
> >> change is not dependent on any other one.
> >>
> >
> > Reviewed-by: Quentin Schulz <[email protected]>
> >
>
> Friendly ping. Who can you take this?
Applied. No need (nor benefit) to ping me. You can check the status of
DT patches on patchwork[1]. If it is there and in the "New" state, it is
in my queue.
Rob
[1] https://patchwork.ozlabs.org/project/devicetree-bindings/list/
On 10/17/18 5:09 PM, Rob Herring wrote:
>>
>> Friendly ping. Who can you take this?
>
> Applied. No need (nor benefit) to ping me. You can check the status of
> DT patches on patchwork[1]. If it is there and in the "New" state, it is
> in my queue.
>
OK. I've got it. I just didn't know who usually takes these dt-bindings patches.
> Rob
>
> [1] https://patchwork.ozlabs.org/project/devicetree-bindings/list/
>
Thanks, Rob.
--
Gustavo
On Wed, Oct 17, 2018 at 10:09:31AM -0500, Rob Herring wrote:
> On Tue, Oct 16, 2018 at 10:44:52AM +0200, Gustavo A. R. Silva wrote:
> > Hi,
> >
> > On 10/9/18 9:27 AM, Quentin Schulz wrote:
> > > Hi Gustavo,
> > >
> > > On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
> > >> SERDES_MAX is a valid value to index ctrl->phys in
> > >> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
> > >> there is an out-of-bounds bug in the mentioned driver
> > >> when reading from ctrl->phys, because the size of
> > >> array ctrl->phys is SERDES_MAX.
> > >>
> > >> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
> > >>
> > >> Notice that this is the first part of the solution to
> > >> the out-of-bounds bug mentioned above. Although this
> > >> change is not dependent on any other one.
> > >>
> > >
> > > Reviewed-by: Quentin Schulz <[email protected]>
> > >
> >
> > Friendly ping. Who can you take this?
>
> Applied. No need (nor benefit) to ping me. You can check the status of
> DT patches on patchwork[1]. If it is there and in the "New" state, it is
> in my queue.
Actually, this doesn't apply to my tree as the file doesn't exist. It
needs to go thru the phy tree. You didn't Cc the maintainer nor list, so
resend.
Acked-by: Rob Herring <[email protected]>
Rob
On 10/17/18 5:23 PM, Rob Herring wrote:
>>> Friendly ping. Who can you take this?
>>
>> Applied. No need (nor benefit) to ping me. You can check the status of
>> DT patches on patchwork[1]. If it is there and in the "New" state, it is
>> in my queue.
>
> Actually, this doesn't apply to my tree as the file doesn't exist. It
> needs to go thru the phy tree. You didn't Cc the maintainer nor list, so
> resend.
>
This is what I get when I run the get_maintainer script:
linux$ scripts/get_maintainer.pl --nokeywords --nogit --nogit-fallback include/dt-bindings/phy/phy-ocelot-serdes.h
Rob Herring <[email protected]> (maintainer:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS)
Mark Rutland <[email protected]> (maintainer:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS)
[email protected] (open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS)
[email protected] (open list)
But I'll send it to the phy guys as you suggest.
> Acked-by: Rob Herring <[email protected]>
>
Thanks
--
Gustavo
Hi Kishon,
On 10/16/18 10:48 AM, Kishon Vijay Abraham I wrote:
> Hi,
>
> On Tuesday 16 October 2018 02:16 PM, Gustavo A. R. Silva wrote:
>> Hi,
>>
>> On 10/9/18 9:28 AM, Quentin Schulz wrote:
>>> Hi Gustavo,
>>>
>>> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>>>> Currently, there is an out-of-bounds read on array ctrl->phys,
>>>> once variable i reaches the maximum array size of SERDES_MAX
>>>> in the for loop.
>>>>
>>>> Fix this by changing the condition in the for loop from
>>>> i <= SERDES_MAX to i < SERDES_MAX.
>>>>
>>>
>>> Reviewed-by: Quentin Schulz <[email protected]>
>>>
>>
>> Friendly ping. Who can you take this?
>
> This can go during the 4.20 -rc cycle.
>
Should I resend the following patch to you, so the whole series is
applied to your phy tree?
https://lore.kernel.org/patchwork/patch/997326/
Thanks
--
Gustavo
Hi,
On 17/10/18 9:07 PM, Gustavo A. R. Silva wrote:
> Hi Kishon,
>
> On 10/16/18 10:48 AM, Kishon Vijay Abraham I wrote:
>> Hi,
>>
>> On Tuesday 16 October 2018 02:16 PM, Gustavo A. R. Silva wrote:
>>> Hi,
>>>
>>> On 10/9/18 9:28 AM, Quentin Schulz wrote:
>>>> Hi Gustavo,
>>>>
>>>> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>>>>> Currently, there is an out-of-bounds read on array ctrl->phys,
>>>>> once variable i reaches the maximum array size of SERDES_MAX
>>>>> in the for loop.
>>>>>
>>>>> Fix this by changing the condition in the for loop from
>>>>> i <= SERDES_MAX to i < SERDES_MAX.
>>>>>
>>>>
>>>> Reviewed-by: Quentin Schulz <[email protected]>
>>>>
>>>
>>> Friendly ping. Who can you take this?
>>
>> This can go during the 4.20 -rc cycle.
>>
>
> Should I resend the following patch to you, so the whole series is
> applied to your phy tree?
>
> https://lore.kernel.org/patchwork/patch/997326/
This is merged by David Miller.
Thanks
Kishon