2018-10-08 22:21:23

by Gustavo A. R. Silva

[permalink] [raw]
Subject: [PATCH 0/2] phy: ocelot-serdes: fix out-of-bounds bug

This patchset aims to fix an out-of-bounds bug in
the phy-ocelot-serdes driver.

Currently, there is an out-of-bounds read on array ctrl->phys,
once variable i reaches the maximum array size of SERDES_MAX
in the for loop.

Quentin Schulz pointed out that SERDES_MAX is a valid value to
index ctrl->phys. So, I updated SERDES_MAX to be SERDES6G_MAX + 1
in include/dt-bindings/phy/phy-ocelot-serdes.h.

Then I changed the condition in the for loop from
i <= SERDES_MAX to i < SERDES_MAX in order to
complete the fix.

The reason I'm sending this fix as series is because
checkpatch reported an error when I first tried to
integrate the whole solution into a singe patch. So,
changes to dt-bindings should be sent as a separate
patch.

Thanks

Gustavo A. R. Silva (2):
dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1
phy: ocelot-serdes: fix out-of-bounds read

drivers/phy/mscc/phy-ocelot-serdes.c | 4 ++--
include/dt-bindings/phy/phy-ocelot-serdes.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)

--
2.7.4



2018-10-08 22:23:22

by Gustavo A. R. Silva

[permalink] [raw]
Subject: [PATCH 2/2] phy: ocelot-serdes: fix out-of-bounds read

Currently, there is an out-of-bounds read on array ctrl->phys,
once variable i reaches the maximum array size of SERDES_MAX
in the for loop.

Fix this by changing the condition in the for loop from
i <= SERDES_MAX to i < SERDES_MAX.

Addresses-Coverity-ID: 1473966 ("Out-of-bounds read")
Addresses-Coverity-ID: 1473959 ("Out-of-bounds read")
Fixes: 51f6b410fc22 ("phy: add driver for Microsemi Ocelot SerDes muxing")
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
drivers/phy/mscc/phy-ocelot-serdes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/phy/mscc/phy-ocelot-serdes.c b/drivers/phy/mscc/phy-ocelot-serdes.c
index 8936abd..c4eee3a 100644
--- a/drivers/phy/mscc/phy-ocelot-serdes.c
+++ b/drivers/phy/mscc/phy-ocelot-serdes.c
@@ -206,7 +206,7 @@ static struct phy *serdes_simple_xlate(struct device *dev,
port = args->args[0];
idx = args->args[1];

- for (i = 0; i <= SERDES_MAX; i++) {
+ for (i = 0; i < SERDES_MAX; i++) {
struct serdes_macro *macro = phy_get_drvdata(ctrl->phys[i]);

if (idx != macro->idx)
@@ -260,7 +260,7 @@ static int serdes_probe(struct platform_device *pdev)
if (!ctrl->regs)
return -ENODEV;

- for (i = 0; i <= SERDES_MAX; i++) {
+ for (i = 0; i < SERDES_MAX; i++) {
ret = serdes_phy_create(ctrl, i, &ctrl->phys[i]);
if (ret)
return ret;
--
2.7.4


2018-10-08 22:23:48

by Gustavo A. R. Silva

[permalink] [raw]
Subject: [PATCH 1/2] dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1

SERDES_MAX is a valid value to index ctrl->phys in
drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
there is an out-of-bounds bug in the mentioned driver
when reading from ctrl->phys, because the size of
array ctrl->phys is SERDES_MAX.

Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.

Notice that this is the first part of the solution to
the out-of-bounds bug mentioned above. Although this
change is not dependent on any other one.

Suggested-by: Quentin Schulz <[email protected]>
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
include/dt-bindings/phy/phy-ocelot-serdes.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/dt-bindings/phy/phy-ocelot-serdes.h b/include/dt-bindings/phy/phy-ocelot-serdes.h
index bd28f21..fe70ada 100644
--- a/include/dt-bindings/phy/phy-ocelot-serdes.h
+++ b/include/dt-bindings/phy/phy-ocelot-serdes.h
@@ -7,6 +7,6 @@
#define SERDES1G_MAX SERDES1G(5)
#define SERDES6G(x) (SERDES1G_MAX + 1 + (x))
#define SERDES6G_MAX SERDES6G(2)
-#define SERDES_MAX SERDES6G_MAX
+#define SERDES_MAX (SERDES6G_MAX + 1)

#endif
--
2.7.4


2018-10-09 07:28:12

by Quentin Schulz

[permalink] [raw]
Subject: Re: [PATCH 1/2] dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1

Hi Gustavo,

On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
> SERDES_MAX is a valid value to index ctrl->phys in
> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
> there is an out-of-bounds bug in the mentioned driver
> when reading from ctrl->phys, because the size of
> array ctrl->phys is SERDES_MAX.
>
> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
>
> Notice that this is the first part of the solution to
> the out-of-bounds bug mentioned above. Although this
> change is not dependent on any other one.
>

Reviewed-by: Quentin Schulz <[email protected]>

Thanks,
Quentin


Attachments:
(No filename) (660.00 B)
signature.asc (849.00 B)
Download all attachments

2018-10-09 07:29:26

by Quentin Schulz

[permalink] [raw]
Subject: Re: [PATCH 2/2] phy: ocelot-serdes: fix out-of-bounds read

Hi Gustavo,

On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
> Currently, there is an out-of-bounds read on array ctrl->phys,
> once variable i reaches the maximum array size of SERDES_MAX
> in the for loop.
>
> Fix this by changing the condition in the for loop from
> i <= SERDES_MAX to i < SERDES_MAX.
>

Reviewed-by: Quentin Schulz <[email protected]>

Thanks,
Quentin


Attachments:
(No filename) (420.00 B)
signature.asc (849.00 B)
Download all attachments

2018-10-09 07:29:57

by Quentin Schulz

[permalink] [raw]
Subject: Re: [PATCH 0/2] phy: ocelot-serdes: fix out-of-bounds bug

Hi Gustavo,

On Tue, Oct 09, 2018 at 12:20:28AM +0200, Gustavo A. R. Silva wrote:
> This patchset aims to fix an out-of-bounds bug in
> the phy-ocelot-serdes driver.
>
> Currently, there is an out-of-bounds read on array ctrl->phys,
> once variable i reaches the maximum array size of SERDES_MAX
> in the for loop.
>
> Quentin Schulz pointed out that SERDES_MAX is a valid value to
> index ctrl->phys. So, I updated SERDES_MAX to be SERDES6G_MAX + 1
> in include/dt-bindings/phy/phy-ocelot-serdes.h.
>
> Then I changed the condition in the for loop from
> i <= SERDES_MAX to i < SERDES_MAX in order to
> complete the fix.
>
> The reason I'm sending this fix as series is because
> checkpatch reported an error when I first tried to
> integrate the whole solution into a singe patch. So,
> changes to dt-bindings should be sent as a separate
> patch.
>

Much appreciated, thank you!

Quentin


Attachments:
(No filename) (924.00 B)
signature.asc (849.00 B)
Download all attachments

2018-10-09 14:15:07

by Gustavo A. R. Silva

[permalink] [raw]
Subject: Re: [PATCH 0/2] phy: ocelot-serdes: fix out-of-bounds bug



On 10/9/18 9:28 AM, Quentin Schulz wrote:
> Hi Gustavo,
>
> On Tue, Oct 09, 2018 at 12:20:28AM +0200, Gustavo A. R. Silva wrote:
>> This patchset aims to fix an out-of-bounds bug in
>> the phy-ocelot-serdes driver.
>>
>> Currently, there is an out-of-bounds read on array ctrl->phys,
>> once variable i reaches the maximum array size of SERDES_MAX
>> in the for loop.
>>
>> Quentin Schulz pointed out that SERDES_MAX is a valid value to
>> index ctrl->phys. So, I updated SERDES_MAX to be SERDES6G_MAX + 1
>> in include/dt-bindings/phy/phy-ocelot-serdes.h.
>>
>> Then I changed the condition in the for loop from
>> i <= SERDES_MAX to i < SERDES_MAX in order to
>> complete the fix.
>>
>> The reason I'm sending this fix as series is because
>> checkpatch reported an error when I first tried to
>> integrate the whole solution into a singe patch. So,
>> changes to dt-bindings should be sent as a separate
>> patch.
>>
>
> Much appreciated, thank you!
>

Glad to help. :)

Thanks
--
Gustavo

2018-10-16 08:52:23

by Gustavo A. R. Silva

[permalink] [raw]
Subject: Re: [PATCH 1/2] dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1

Hi,

On 10/9/18 9:27 AM, Quentin Schulz wrote:
> Hi Gustavo,
>
> On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
>> SERDES_MAX is a valid value to index ctrl->phys in
>> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
>> there is an out-of-bounds bug in the mentioned driver
>> when reading from ctrl->phys, because the size of
>> array ctrl->phys is SERDES_MAX.
>>
>> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
>>
>> Notice that this is the first part of the solution to
>> the out-of-bounds bug mentioned above. Although this
>> change is not dependent on any other one.
>>
>
> Reviewed-by: Quentin Schulz <[email protected]>
>

Friendly ping. Who can you take this?

Thanks!
--
Gustavo

2018-10-16 08:56:26

by Kishon Vijay Abraham I

[permalink] [raw]
Subject: Re: [PATCH 2/2] phy: ocelot-serdes: fix out-of-bounds read

Hi,

On Tuesday 16 October 2018 02:16 PM, Gustavo A. R. Silva wrote:
> Hi,
>
> On 10/9/18 9:28 AM, Quentin Schulz wrote:
>> Hi Gustavo,
>>
>> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>>> Currently, there is an out-of-bounds read on array ctrl->phys,
>>> once variable i reaches the maximum array size of SERDES_MAX
>>> in the for loop.
>>>
>>> Fix this by changing the condition in the for loop from
>>> i <= SERDES_MAX to i < SERDES_MAX.
>>>
>>
>> Reviewed-by: Quentin Schulz <[email protected]>
>>
>
> Friendly ping. Who can you take this?

This can go during the 4.20 -rc cycle.

Thanks
Kishon

2018-10-16 08:58:16

by Gustavo A. R. Silva

[permalink] [raw]
Subject: Re: [PATCH 2/2] phy: ocelot-serdes: fix out-of-bounds read

Hi,

On 10/9/18 9:28 AM, Quentin Schulz wrote:
> Hi Gustavo,
>
> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>> Currently, there is an out-of-bounds read on array ctrl->phys,
>> once variable i reaches the maximum array size of SERDES_MAX
>> in the for loop.
>>
>> Fix this by changing the condition in the for loop from
>> i <= SERDES_MAX to i < SERDES_MAX.
>>
>
> Reviewed-by: Quentin Schulz <[email protected]>
>

Friendly ping. Who can you take this?

Thanks!
--
Gustavo

2018-10-17 15:12:23

by Rob Herring (Arm)

[permalink] [raw]
Subject: Re: [PATCH 1/2] dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1

On Tue, Oct 16, 2018 at 10:44:52AM +0200, Gustavo A. R. Silva wrote:
> Hi,
>
> On 10/9/18 9:27 AM, Quentin Schulz wrote:
> > Hi Gustavo,
> >
> > On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
> >> SERDES_MAX is a valid value to index ctrl->phys in
> >> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
> >> there is an out-of-bounds bug in the mentioned driver
> >> when reading from ctrl->phys, because the size of
> >> array ctrl->phys is SERDES_MAX.
> >>
> >> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
> >>
> >> Notice that this is the first part of the solution to
> >> the out-of-bounds bug mentioned above. Although this
> >> change is not dependent on any other one.
> >>
> >
> > Reviewed-by: Quentin Schulz <[email protected]>
> >
>
> Friendly ping. Who can you take this?

Applied. No need (nor benefit) to ping me. You can check the status of
DT patches on patchwork[1]. If it is there and in the "New" state, it is
in my queue.

Rob

[1] https://patchwork.ozlabs.org/project/devicetree-bindings/list/

2018-10-17 15:20:51

by Gustavo A. R. Silva

[permalink] [raw]
Subject: Re: [PATCH 1/2] dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1



On 10/17/18 5:09 PM, Rob Herring wrote:

>>
>> Friendly ping. Who can you take this?
>
> Applied. No need (nor benefit) to ping me. You can check the status of
> DT patches on patchwork[1]. If it is there and in the "New" state, it is
> in my queue.
>

OK. I've got it. I just didn't know who usually takes these dt-bindings patches.

> Rob
>
> [1] https://patchwork.ozlabs.org/project/devicetree-bindings/list/
>

Thanks, Rob.
--
Gustavo

2018-10-17 15:25:00

by Rob Herring (Arm)

[permalink] [raw]
Subject: Re: [PATCH 1/2] dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1

On Wed, Oct 17, 2018 at 10:09:31AM -0500, Rob Herring wrote:
> On Tue, Oct 16, 2018 at 10:44:52AM +0200, Gustavo A. R. Silva wrote:
> > Hi,
> >
> > On 10/9/18 9:27 AM, Quentin Schulz wrote:
> > > Hi Gustavo,
> > >
> > > On Tue, Oct 09, 2018 at 12:21:36AM +0200, Gustavo A. R. Silva wrote:
> > >> SERDES_MAX is a valid value to index ctrl->phys in
> > >> drivers/phy/mscc/phy-ocelot-serdes.c. But, currently,
> > >> there is an out-of-bounds bug in the mentioned driver
> > >> when reading from ctrl->phys, because the size of
> > >> array ctrl->phys is SERDES_MAX.
> > >>
> > >> Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1.
> > >>
> > >> Notice that this is the first part of the solution to
> > >> the out-of-bounds bug mentioned above. Although this
> > >> change is not dependent on any other one.
> > >>
> > >
> > > Reviewed-by: Quentin Schulz <[email protected]>
> > >
> >
> > Friendly ping. Who can you take this?
>
> Applied. No need (nor benefit) to ping me. You can check the status of
> DT patches on patchwork[1]. If it is there and in the "New" state, it is
> in my queue.

Actually, this doesn't apply to my tree as the file doesn't exist. It
needs to go thru the phy tree. You didn't Cc the maintainer nor list, so
resend.

Acked-by: Rob Herring <[email protected]>

Rob

2018-10-17 15:46:31

by Gustavo A. R. Silva

[permalink] [raw]
Subject: Re: [PATCH 1/2] dt-bindings: phy: Update SERDES_MAX to be SERDES_MAX + 1



On 10/17/18 5:23 PM, Rob Herring wrote:

>>> Friendly ping. Who can you take this?
>>
>> Applied. No need (nor benefit) to ping me. You can check the status of
>> DT patches on patchwork[1]. If it is there and in the "New" state, it is
>> in my queue.
>
> Actually, this doesn't apply to my tree as the file doesn't exist. It
> needs to go thru the phy tree. You didn't Cc the maintainer nor list, so
> resend.
>

This is what I get when I run the get_maintainer script:

linux$ scripts/get_maintainer.pl --nokeywords --nogit --nogit-fallback include/dt-bindings/phy/phy-ocelot-serdes.h
Rob Herring <[email protected]> (maintainer:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS)
Mark Rutland <[email protected]> (maintainer:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS)
[email protected] (open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS)
[email protected] (open list)

But I'll send it to the phy guys as you suggest.

> Acked-by: Rob Herring <[email protected]>
>

Thanks
--
Gustavo

2018-10-17 16:14:14

by Gustavo A. R. Silva

[permalink] [raw]
Subject: Re: [PATCH 2/2] phy: ocelot-serdes: fix out-of-bounds read

Hi Kishon,

On 10/16/18 10:48 AM, Kishon Vijay Abraham I wrote:
> Hi,
>
> On Tuesday 16 October 2018 02:16 PM, Gustavo A. R. Silva wrote:
>> Hi,
>>
>> On 10/9/18 9:28 AM, Quentin Schulz wrote:
>>> Hi Gustavo,
>>>
>>> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>>>> Currently, there is an out-of-bounds read on array ctrl->phys,
>>>> once variable i reaches the maximum array size of SERDES_MAX
>>>> in the for loop.
>>>>
>>>> Fix this by changing the condition in the for loop from
>>>> i <= SERDES_MAX to i < SERDES_MAX.
>>>>
>>>
>>> Reviewed-by: Quentin Schulz <[email protected]>
>>>
>>
>> Friendly ping. Who can you take this?
>
> This can go during the 4.20 -rc cycle.
>

Should I resend the following patch to you, so the whole series is
applied to your phy tree?

https://lore.kernel.org/patchwork/patch/997326/

Thanks
--
Gustavo

2018-11-12 08:30:04

by Kishon Vijay Abraham I

[permalink] [raw]
Subject: Re: [PATCH 2/2] phy: ocelot-serdes: fix out-of-bounds read

Hi,

On 17/10/18 9:07 PM, Gustavo A. R. Silva wrote:
> Hi Kishon,
>
> On 10/16/18 10:48 AM, Kishon Vijay Abraham I wrote:
>> Hi,
>>
>> On Tuesday 16 October 2018 02:16 PM, Gustavo A. R. Silva wrote:
>>> Hi,
>>>
>>> On 10/9/18 9:28 AM, Quentin Schulz wrote:
>>>> Hi Gustavo,
>>>>
>>>> On Tue, Oct 09, 2018 at 12:22:33AM +0200, Gustavo A. R. Silva wrote:
>>>>> Currently, there is an out-of-bounds read on array ctrl->phys,
>>>>> once variable i reaches the maximum array size of SERDES_MAX
>>>>> in the for loop.
>>>>>
>>>>> Fix this by changing the condition in the for loop from
>>>>> i <= SERDES_MAX to i < SERDES_MAX.
>>>>>
>>>>
>>>> Reviewed-by: Quentin Schulz <[email protected]>
>>>>
>>>
>>> Friendly ping. Who can you take this?
>>
>> This can go during the 4.20 -rc cycle.
>>
>
> Should I resend the following patch to you, so the whole series is
> applied to your phy tree?
>
> https://lore.kernel.org/patchwork/patch/997326/

This is merged by David Miller.

Thanks
Kishon