LinuxLists.cc - [PATCH 1/2] hte: fix off by one in hte_push_ts

2022-05-07 13:52:00

Subject: [PATCH 1/2] hte: fix off by one in hte_push_ts_ns()

The &chip->gdev->ei[] array has chip->nlines elements so this >
comparison needs to be >= to prevent an out of bounds access. The
gdev->ei[] array is allocated in hte_register_chip().

Fixes: 31ab09b42188 ("drivers: Add hardware timestamp engine (HTE) subsystem")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/hte/hte.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hte/hte.c b/drivers/hte/hte.c
index 891b98ad609e..a14c5bf290ff 100644
--- a/drivers/hte/hte.c
+++ b/drivers/hte/hte.c
@@ -811,7 +811,7 @@ int hte_push_ts_ns(const struct hte_chip *chip, u32 xlated_id,
if (!chip || !data || !chip->gdev)
return -EINVAL;

- if (xlated_id > chip->nlines)
+ if (xlated_id >= chip->nlines)
return -EINVAL;

ei = &chip->gdev->ei[xlated_id];
--
2.35.1

2022-05-09 08:22:13

by Dipen Patel

[permalink] [raw]

Subject: Re: [PATCH 1/2] hte: fix off by one in hte_push_ts_ns()

good catch. Thanks.

Reviewed-by: Dipen Patel

Acked-by: Dipen Patel

On 5/6/22 7:53 AM, Dan Carpenter wrote:
> The &chip->gdev->ei[] array has chip->nlines elements so this >
> comparison needs to be >= to prevent an out of bounds access. The
> gdev->ei[] array is allocated in hte_register_chip().
>
> Fixes: 31ab09b42188 ("drivers: Add hardware timestamp engine (HTE) subsystem")
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> drivers/hte/hte.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hte/hte.c b/drivers/hte/hte.c
> index 891b98ad609e..a14c5bf290ff 100644
> --- a/drivers/hte/hte.c
> +++ b/drivers/hte/hte.c
> @@ -811,7 +811,7 @@ int hte_push_ts_ns(const struct hte_chip *chip, u32 xlated_id,
> if (!chip || !data || !chip->gdev)
> return -EINVAL;
>
> - if (xlated_id > chip->nlines)
> + if (xlated_id >= chip->nlines)
> return -EINVAL;
>
> ei = &chip->gdev->ei[xlated_id];

2022-05-09 08:30:01

by Dan Carpenter

[permalink] [raw]

Subject: [PATCH 2/2] hte: uninitialized variable in hte_ts_get()

The "free_name" variable is sometimes used without being initialized.

31ab09b42188 ("drivers: Add hardware timestamp engine (HTE) subsystem")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/hte/hte.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hte/hte.c b/drivers/hte/hte.c
index a14c5bf290ff..7c3b4476f890 100644
--- a/drivers/hte/hte.c
+++ b/drivers/hte/hte.c
@@ -572,7 +572,7 @@ int hte_ts_get(struct device *dev, struct hte_ts_desc *desc, int index)
struct of_phandle_args args;
u32 xlated_id;
int ret;
- bool free_name;
+ bool free_name = false;

if (!desc)
return -EINVAL;
--
2.35.1