Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3515836imm;
        Thu, 17 May 2018 09:57:52 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZozGM8chgi1rfFq57BPaVUBdMnNd/8JRSnFKZR67IOgh7030N9m1SrwKks3yvdk/37C7xj1
X-Received: by 2002:a63:b51d:: with SMTP id y29-v6mr2916639pge.406.1526576272784;
        Thu, 17 May 2018 09:57:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526576272; cv=none;
        d=google.com; s=arc-20160816;
        b=glKd6cRmlPZ/wKaG0AOQUUZUrq+m0e5t2jVr49hxsLgrutCUd636Nb6jPVTzE9Bygl
         jwBjn/3hlCxviOcDIbasVd09mQL4D+wbdL7RczBBiiommfnOxa8IxIuxvUS1hJQmdayC
         TovXcIZFnDnTfYxSv/ZuU3iXBYNNHLkWcdSB37JFDHsvnwStd7kJOQmdunlSysEk2apo
         mtoQsV+vQoKrSjpsSM1gSs1tTYUct01zBnhoIcUPQb5wzwFs9ghlLO6vTtsNBN7fuIXC
         KEWnAs3o/nA0y1napXIAMoTvA94OwX4Gg96VMllo0UxxkKdV3zzaMIod/Z70xHdTGQVA
         vAxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:references:cc:to:from:subject:dkim-signature
         :arc-authentication-results;
        bh=ZtzAEpxCoywYhM+AcO0S/vrBpTm2kDCBO7P7Ncmjto0=;
        b=vX0kPPilQUDJcTM33YrmI/1vxWmVE5h82z9gjIvPHinCnU7JkucBdvcHQHBdAsILq6
         ZoWNaj7Rc6OnaFpIUc+dD0YIdvgJ22rBMqpp+Tr2K/uveYZzVg0tB9BwKTHJmVnmFuek
         GCOoTNzlu+Gt9x7DKgKBw9+smrPuQwsNZDTNjOJ/x8DKMy9OSY0/1+OrxafNnoCnAvyN
         YqGOA0nAqad7z3jg2bdJOr/fwWBazqDyKnCHL0uoevxR9d1m3bJEefeVuiuaDq26J0v7
         zwp9UUtJlWPrzVBHh3SbiO7h67IDPlFQv9HVWGc8tUN2ODjTfC21k1VKdsV4tB1RjFTl
         BMAQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Q760HdRU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z9-v6si6166335plk.94.2018.05.17.09.57.38;
        Thu, 17 May 2018 09:57:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Q760HdRU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752304AbeEQQ4h (ORCPT <rfc822;tnerolf.eriarrach@gmail.com>
        + 99 others); Thu, 17 May 2018 12:56:37 -0400
Received: from mail-pg0-f67.google.com ([74.125.83.67]:45229 "EHLO
        mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752266AbeEQQ4f (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 May 2018 12:56:35 -0400
Received: by mail-pg0-f67.google.com with SMTP id w3-v6so2071222pgv.12;
        Thu, 17 May 2018 09:56:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:from:to:cc:references:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=ZtzAEpxCoywYhM+AcO0S/vrBpTm2kDCBO7P7Ncmjto0=;
        b=Q760HdRUlXCAd1foDogYYNGhtYCtwDEwVQMgOt/AUvq6pP1YHzMvN9+0EiRd3WDtWd
         XXbLEfTaSMqgOe20imOc4xbGveV8wMwUIYP/n0bMeR4+eh4z1JixgZt4MGirPrxk0nWu
         Io5tSzEKkKtAwCR2W/bzZkTCEwa1wKgm4edWd26lxYv2Zgh3vEa+QSL143OrDLjw2/cZ
         TE7X9ocE4w+mrcm0N8ue67CbvkNL4a1owraPr9q2yzRECzlkHHG4SXuaGbMXKKNtRTum
         m2QZqLlUGFhq17wkG75HrnKzSYoKaQGCMJQ80f8jWeQOF3kqe1SQKbBjBO4dkkrDueNX
         HPSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:from:to:cc:references:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=ZtzAEpxCoywYhM+AcO0S/vrBpTm2kDCBO7P7Ncmjto0=;
        b=nzzNPGzhvXh+W7ChLks6WNttvxzl4K6BHXZDYC/Iq0ag4S3oSrh3nCbbf8EbE4cm2g
         89ZlV3bk/2QqeEYznkMXENWiw7vYpVUyCKJd6x+GEwJqAmDe9TqUzjPZ3Eyur9PLvrtR
         jcbQo4PLLJYqPvQYElsvAtMDkcD1bsCeaMko6C9XY6Vmi75yUtKde5Xf4tjudVNPSHJ6
         2IC855h1lcRlHqBhtaIwsft86m/x4McZ8BSk4Dn/pbi+I5dRsy9pY98I0VkeyNah+fCt
         kMaPK3ajFB+djOaDnfq4kj1Dfc9cn6yNN/xAjg+fhF6BjqCMZz0HC/WUKLUEN/YTuyLN
         VdzQ==
X-Gm-Message-State: ALKqPwfQD+EnfndZGSLhDBji9PbI9UjXaKEJB0r3zypIpYIu99UPWjr1
        H4GWE5qYyFjU5Tqz0y5xBfc=
X-Received: by 2002:a62:c987:: with SMTP id l7-v6mr5760864pfk.221.1526576195458;
        Thu, 17 May 2018 09:56:35 -0700 (PDT)
Received: from [192.168.1.70] (c-24-6-192-50.hsd1.ca.comcast.net. [24.6.192.50])
        by smtp.gmail.com with ESMTPSA id x10-v6sm18739502pfd.162.2018.05.17.09.56.34
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 17 May 2018 09:56:34 -0700 (PDT)
Subject: Re: [PATCH] of: overlay: validate offset from property fixups
From:   Frank Rowand <frowand.list@gmail.com>
To:     Rob Herring <robh+dt@kernel.org>, pantelis.antoniou@konsulko.com,
        Pantelis Antoniou <panto@antoniou-consulting.com>
Cc:     Dan Carpenter <dan.carpenter@oracle.com>,
        devicetree@vger.kernel.org, linux-kernel@vger.kernel.org
References: <1526530791-18591-1-git-send-email-frowand.list@gmail.com>
Message-ID: <21ae05b7-e9d4-d518-c341-861c74f32922@gmail.com>
Date:   Thu, 17 May 2018 09:56:33 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <1526530791-18591-1-git-send-email-frowand.list@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Rob,

On 05/16/18 21:19, frowand.list@gmail.com wrote:
> From: Frank Rowand <frank.rowand@sony.com>
> 
> The smatch static checker marks the data in offset as untrusted,
> leading it to warn:
> 
>   drivers/of/resolver.c:125 update_usages_of_a_phandle_reference()
>   error: buffer underflow 'prop->value' 's32min-s32max'
> 
> Add check to verify that offset is within the property data.
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Frank Rowand <frank.rowand@sony.com>
> ---
>  drivers/of/resolver.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/of/resolver.c b/drivers/of/resolver.c
> index 65d0b7adfcd4..7edfac6f1914 100644
> --- a/drivers/of/resolver.c
> +++ b/drivers/of/resolver.c
> @@ -122,6 +122,11 @@ static int update_usages_of_a_phandle_reference(struct device_node *overlay,
>  			goto err_fail;
>  		}
>  
> +		if (offset < 0 || offset + sizeof(__be32) > prop->length) {
> +			err = -EINVAL;
> +			goto err_fail;
> +		}
> +
>  		*(__be32 *)(prop->value + offset) = cpu_to_be32(phandle);
>  	}
>  
> 

I should have mentioned that this results in a new compile warning
for W=2 and W=3.  The new if statement results in:

drivers/of/resolver.c:125:45: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]

There are other pre-existing warnings in the same file for comparing
an integer to prop->length.  The correct solution is probably to
change the type of the length field in struct property to be
unsigned.  I have added that task to my todo list.

-Frank