&cmd->asiv of size 96 can overflow because its index (asiv_offs + 8)
can be equal to 96 (0x58 + 0x08) that is out of range.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Aleksandr Burakov <[email protected]>
Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
---
drivers/misc/genwqe/card_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c
index 55fc5b80e649..d58ce2622307 100644
--- a/drivers/misc/genwqe/card_dev.c
+++ b/drivers/misc/genwqe/card_dev.c
@@ -867,7 +867,7 @@ static int ddcb_cmd_fixups(struct genwqe_file *cfile, struct ddcb_requ *req)
struct genwqe_ddcb_cmd *cmd = &req->cmd;
struct dma_mapping *m;
- for (i = 0, asiv_offs = 0x00; asiv_offs <= 0x58;
+ for (i = 0, asiv_offs = 0x00; asiv_offs < 0x58;
i++, asiv_offs += 0x08) {
u64 u_addr;
--
2.25.1
On Wed, Dec 07, 2022 at 05:18:08PM +0300, Aleksandr Burakov wrote:
> &cmd->asiv of size 96 can overflow because its index (asiv_offs + 8)
> can be equal to 96 (0x58 + 0x08) that is out of range.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Aleksandr Burakov <[email protected]>
> Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
> ---
> drivers/misc/genwqe/card_dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c
> index 55fc5b80e649..d58ce2622307 100644
> --- a/drivers/misc/genwqe/card_dev.c
> +++ b/drivers/misc/genwqe/card_dev.c
> @@ -867,7 +867,7 @@ static int ddcb_cmd_fixups(struct genwqe_file *cfile, struct ddcb_requ *req)
> struct genwqe_ddcb_cmd *cmd = &req->cmd;
> struct dma_mapping *m;
>
> - for (i = 0, asiv_offs = 0x00; asiv_offs <= 0x58;
> + for (i = 0, asiv_offs = 0x00; asiv_offs < 0x58;
> i++, asiv_offs += 0x08) {
>
> u64 u_addr;
> --
> 2.25.1
>
Where is patch 1/2 of this series?
Hello!
The subject was created this way due to technical issues. There is only one patch here.
With best regards,
A. Burakov
----- Исходное сообщение -----
От: "Greg Kroah-Hartman" <[email protected]>
Кому: "Александр Бураков" <[email protected]>
Копия: "Frank Haverkamp" <[email protected]>, "Arnd Bergmann" <[email protected]>, [email protected], [email protected]
Отправленные: Среда, 7 Декабрь 2022 г 19:23:12
Тема: Re: [PATCH 2/2] misc: genwqe: card_dev: Array index overflow fix in ddcb_cmd_fixups()
On Wed, Dec 07, 2022 at 05:18:08PM +0300, Aleksandr Burakov wrote:
> &cmd->asiv of size 96 can overflow because its index (asiv_offs + 8)
> can be equal to 96 (0x58 + 0x08) that is out of range.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Aleksandr Burakov <[email protected]>
> Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
> ---
> drivers/misc/genwqe/card_dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c
> index 55fc5b80e649..d58ce2622307 100644
> --- a/drivers/misc/genwqe/card_dev.c
> +++ b/drivers/misc/genwqe/card_dev.c
> @@ -867,7 +867,7 @@ static int ddcb_cmd_fixups(struct genwqe_file *cfile, struct ddcb_requ *req)
> struct genwqe_ddcb_cmd *cmd = &req->cmd;
> struct dma_mapping *m;
>
> - for (i = 0, asiv_offs = 0x00; asiv_offs <= 0x58;
> + for (i = 0, asiv_offs = 0x00; asiv_offs < 0x58;
> i++, asiv_offs += 0x08) {
>
> u64 u_addr;
> --
> 2.25.1
>
Where is patch 1/2 of this series?
A: http://en.wikipedia.org/wiki/Top_post
Q: Were do I find info about this thing called top-posting?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
A: No.
Q: Should I include quotations after my reply?
http://daringfireball.net/2007/07/on_top
On Thu, Dec 08, 2022 at 01:55:01PM +0300, Александр Бураков wrote:
> Hello!
>
> The subject was created this way due to technical issues. There is only one patch here.
Great, then please fix up those issues and resend a version 2 of this
patch, otherwise it confuses us all. Please remember that we optimize
for review, and as such, if you make a mistake like this, it's up to you
to fix it up, not us.
thanks,
greg k-h