2024-03-21 16:57:29

by Mikhail Kobuk

[permalink] [raw]
Subject: [PATCH 1/2] phy: marvell: a3700-comphy: Fix out of bounds read

There is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'
every iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.

Make sure 'gbe_phy_init[addr]' is used when all elements of
'gbe_phy_init_fix' array are handled.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 934337080c6c ("phy: marvell: phy-mvebu-a3700-comphy: Add native kernel implementation")
Signed-off-by: Mikhail Kobuk <[email protected]>
---
drivers/phy/marvell/phy-mvebu-a3700-comphy.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/phy/marvell/phy-mvebu-a3700-comphy.c b/drivers/phy/marvell/phy-mvebu-a3700-comphy.c
index 15bf10710de0..1d1db1737422 100644
--- a/drivers/phy/marvell/phy-mvebu-a3700-comphy.c
+++ b/drivers/phy/marvell/phy-mvebu-a3700-comphy.c
@@ -611,11 +611,12 @@ static void comphy_gbe_phy_init(struct mvebu_a3700_comphy_lane *lane,
* comparison to 3.125 Gbps values. These register values are
* stored in "gbe_phy_init_fix" array.
*/
- if (!is_1gbps && gbe_phy_init_fix[fix_idx].addr == addr) {
+ if (!is_1gbps &&
+ fix_idx < ARRAY_SIZE(gbe_phy_init_fix) &&
+ gbe_phy_init_fix[fix_idx].addr == addr) {
/* Use new value */
val = gbe_phy_init_fix[fix_idx].value;
- if (fix_idx < ARRAY_SIZE(gbe_phy_init_fix))
- fix_idx++;
+ fix_idx++;
} else {
val = gbe_phy_init[addr];
}
--
2.44.0



2024-03-22 07:25:28

by Miquel Raynal

[permalink] [raw]
Subject: Re: [PATCH 1/2] phy: marvell: a3700-comphy: Fix out of bounds read

Hi Mikhail,

[email protected] wrote on Thu, 21 Mar 2024 19:47:30 +0300:

> There is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'
> every iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.
>
> Make sure 'gbe_phy_init[addr]' is used when all elements of
> 'gbe_phy_init_fix' array are handled.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 934337080c6c ("phy: marvell: phy-mvebu-a3700-comphy: Add native kernel implementation")
> Signed-off-by: Mikhail Kobuk <[email protected]>

Reviewed-by: Miquel Raynal <[email protected]>

Thanks,
Miquèl

2024-04-05 17:10:00

by Vinod Koul

[permalink] [raw]
Subject: Re: [PATCH 1/2] phy: marvell: a3700-comphy: Fix out of bounds read


On Thu, 21 Mar 2024 19:47:30 +0300, Mikhail Kobuk wrote:
> There is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'
> every iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.
>
> Make sure 'gbe_phy_init[addr]' is used when all elements of
> 'gbe_phy_init_fix' array are handled.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> [...]

Applied, thanks!

[1/2] phy: marvell: a3700-comphy: Fix out of bounds read
commit: e4308bc22b9d46cf33165c9dfaeebcf29cd56f04
[2/2] phy: marvell: a3700-comphy: Fix hardcoded array size
commit: 627207703b73615653eea5ab7a841d5b478d961e

Best regards,
--
~Vinod