The size of array 'priv->ports[]' is INNO_PHY_PORT_NUM.
In the for loop, 'i' is used as the index for array 'priv->ports[]'
with a check (i > INNO_PHY_PORT_NUM) which indicates that
INNO_PHY_PORT_NUM is allowed value for 'i' in the same loop.
This > comparison needs to be changed to >=, otherwise it potentially leads
to an out of bounds write on the next iteration through the loop
Fixes: ba8b0ee81fbb ("phy: add inno-usb2-phy driver for hi3798cv200 SoC")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Harshit Mogalapalli <[email protected]>
---
This is purely based on static analysis, only compile tested.
Inspired based on a patch from Christophe Jaillet:
https://lore.kernel.org/all/cd01cba1c7eda58bdabaae174c78c067325803d2.1689803636.git.christophe.jaillet@wanadoo.fr/
---
drivers/phy/hisilicon/phy-hisi-inno-usb2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/phy/hisilicon/phy-hisi-inno-usb2.c b/drivers/phy/hisilicon/phy-hisi-inno-usb2.c
index 498afd81696b..c138cd4807d6 100644
--- a/drivers/phy/hisilicon/phy-hisi-inno-usb2.c
+++ b/drivers/phy/hisilicon/phy-hisi-inno-usb2.c
@@ -185,7 +185,7 @@ static int hisi_inno_phy_probe(struct platform_device *pdev)
phy_set_drvdata(phy, &priv->ports[i]);
i++;
- if (i > INNO_PHY_PORT_NUM) {
+ if (i >= INNO_PHY_PORT_NUM) {
dev_warn(dev, "Support %d ports in maximum\n", i);
of_node_put(child);
break;
--
2.39.3
On Fri, 21 Jul 2023 02:05:55 -0700, Harshit Mogalapalli wrote:
> The size of array 'priv->ports[]' is INNO_PHY_PORT_NUM.
>
> In the for loop, 'i' is used as the index for array 'priv->ports[]'
> with a check (i > INNO_PHY_PORT_NUM) which indicates that
> INNO_PHY_PORT_NUM is allowed value for 'i' in the same loop.
>
> This > comparison needs to be changed to >=, otherwise it potentially leads
> to an out of bounds write on the next iteration through the loop
>
> [...]
Applied, thanks!
[1/1] phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
commit: 13c088cf3657d70893d75cf116be937f1509cc0f
Best regards,
--
~Vinod