Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4042451imm; Mon, 8 Oct 2018 13:56:37 -0700 (PDT) X-Google-Smtp-Source: ACcGV63KW6Ww5WhJyGijp9PXN9o6V8Xfl7JUFtMFNMC9t1oN/6K2Z7LeJShyTGCTzvbpfJ3j1D4R X-Received: by 2002:a63:5558:: with SMTP id f24-v6mr23257250pgm.37.1539032197683; Mon, 08 Oct 2018 13:56:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539032197; cv=none; d=google.com; s=arc-20160816; b=cX4pGq+JG56gRRdr+p48X3ojOisCNbafABCWSKe2xs0MtsGRO1Vky8ZU4IAUP5UYA3 VnoUO7J8zH7wk//EkyZsmqyK9g16zOF7dDX2qMpliQr0NuUriGLpfgDZg7LhA4URHypv vkQ3UMe57kB9dK5ZqYF0Com0XPOjCl07prFdlkuurtniHCMBPyW97LLITk7bbg3WTIpu 2fBJuIkfmu+YX7/5fIPRQ/77PVHCsAVRhahYJiCepLpGW1fC2blw9PcCnpbPU6DfMfdK YpoZIAOnbd7qQt3Q2TvYS+Yq5zJVxT7NKarvUSXWTefBFvVDphBeRcoa2mfQZZjG5dgr YLRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=y4VJHsp0nA/VXdV5E1Ogeis427ZvFaiyCs7cOeUIk/M=; b=MIITIoEcQQzzaLLqcMQuN+NFYOuCl/+uvWEwD23Kr/TQsjBIms4Vdh/Bpw9CJOSbr7 mfXy0rbgJJFP4I/fPlv/bG6sgPfxpgcXcfCYVeX2BpERDE2LW9wB+kUbz9xnXqQKEgxZ W/WMhC9UpD46/mvSgacJSumVQrhiPy432hToX2sx3uhBJE6YBTUfO5OpYUYqRnI3L7sX MBrKjUB0SWrM5CyjzdborzhecTbkAbISKVkLiAZd3FN7HzZCckJagnulvw0IiLf5ibqV LlwJt/CE8IgKCRflTbNGY+ZVrqxcNAUgIOzT5mXO/O3iYjAedvuQsYByCqsYWHj6NFHc ffmQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 66-v6si15619563pla.180.2018.10.08.13.56.22; Mon, 08 Oct 2018 13:56:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726740AbeJIEJT (ORCPT + 99 others); Tue, 9 Oct 2018 00:09:19 -0400 Received: from mail.bootlin.com ([62.4.15.54]:33547 "EHLO mail.bootlin.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726103AbeJIEJT (ORCPT ); Tue, 9 Oct 2018 00:09:19 -0400 Received: by mail.bootlin.com (Postfix, from userid 110) id 35A82207C3; Mon, 8 Oct 2018 22:55:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.bootlin.com X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT shortcircuit=ham autolearn=disabled version=3.4.0 Received: from qschulz (LFbn-1-10589-128.w90-89.abo.wanadoo.fr [90.89.181.128]) by mail.bootlin.com (Postfix) with ESMTPSA id 577A320719; Mon, 8 Oct 2018 22:55:36 +0200 (CEST) Date: Mon, 8 Oct 2018 22:55:36 +0200 From: Quentin Schulz To: "Gustavo A. R. Silva" Cc: Kishon Vijay Abraham I , "David S. Miller" , linux-kernel@vger.kernel.org Subject: Re: [PATCH] phy: ocelot-serdes: fix out-of-bounds read Message-ID: <20181008205536.emefo2lddcuxl6sr@qschulz> References: <20181008180649.GA9152@embeddedor.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7jqv2n7jpxh5j4sz" Content-Disposition: inline In-Reply-To: <20181008180649.GA9152@embeddedor.com> User-Agent: NeoMutt/20171215 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --7jqv2n7jpxh5j4sz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Gustavo, On Mon, Oct 08, 2018 at 08:06:49PM +0200, Gustavo A. R. Silva wrote: > Currently, there is an out-of-bounds read on array ctrl->phys, > once variable i reaches the maximum array size of SERDES_MAX > in the for loop. >=20 > Fix this by changing the condition in the for loop from > i <=3D SERDES_MAX to i < SERDES_MAX. >=20 Thanks for the heads up. However, as defined today, SERDES_MAX is a valid value so I need it in the iteration. There are two possible fixes though: Either we let all the for loops as `for (i =3D 0; i <=3D SERDES_MAX; i++)` and define ctrl->phys as an array of size SERDES_MAX + 1. Or we modify the for loops as `for (i =3D 0; i < SERDES_MAX; i++)` and we update SERDES_MAX in include/dt-bindings/phy/phy-ocelot-serdes.h to be SERDES6G_MAX + 1. As you wish! Thanks, Quentin > Addresses-Coverity-ID: 1473966 ("Out-of-bounds read") > Addresses-Coverity-ID: 1473959 ("Out-of-bounds read") > Fixes: 51f6b410fc22 ("phy: add driver for Microsemi Ocelot SerDes muxing") > Signed-off-by: Gustavo A. R. Silva > --- > drivers/phy/mscc/phy-ocelot-serdes.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/drivers/phy/mscc/phy-ocelot-serdes.c b/drivers/phy/mscc/phy-= ocelot-serdes.c > index 8936abd..c4eee3a 100644 > --- a/drivers/phy/mscc/phy-ocelot-serdes.c > +++ b/drivers/phy/mscc/phy-ocelot-serdes.c > @@ -206,7 +206,7 @@ static struct phy *serdes_simple_xlate(struct device = *dev, > port =3D args->args[0]; > idx =3D args->args[1]; > =20 > - for (i =3D 0; i <=3D SERDES_MAX; i++) { > + for (i =3D 0; i < SERDES_MAX; i++) { > struct serdes_macro *macro =3D phy_get_drvdata(ctrl->phys[i]); > =20 > if (idx !=3D macro->idx) > @@ -260,7 +260,7 @@ static int serdes_probe(struct platform_device *pdev) > if (!ctrl->regs) > return -ENODEV; > =20 > - for (i =3D 0; i <=3D SERDES_MAX; i++) { > + for (i =3D 0; i < SERDES_MAX; i++) { > ret =3D serdes_phy_create(ctrl, i, &ctrl->phys[i]); > if (ret) > return ret; > --=20 > 2.7.4 >=20 --7jqv2n7jpxh5j4sz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXeEYjDsJh38OoyMzhLiadT7g8aMFAlu7xEgACgkQhLiadT7g 8aOcQBAAhhrepp+SQgXoIGQt8SnUIc2tKM5nHP0/LVb6DQwRE06QF5L+DhgTN2kx A/2GSlo5eYOGbLiJnXmevqm5TuZMOFlI14QcdTSooanAdr3Myav6mpB3jrIXYD0R gpTp0pfZFn1PVQWUweIg8VFQDy1vSSlXrvK9iInAYYP3BsHQDqsr2oBYkoJ5V8lj EGByxd4hxhYXf2W6R45YM4yUxzId4R2C6kinZuj4vmcfFrL8ia/0nz6B4c0rgEop NmMdgPqvwkYH/zzM1fgsD5yZ3/5BwmM3FT3mpKO3xu4y6n765CaH4iQYHXJKHIVy Vz+mkP7kVyBtS4GfjmT6VOpQbkLD593BgrxwA3Ghtdicn+DI4rMCo82jsG3bf3uA rbKxbRf0JPT1Dxjt06moT3k9kUQ2Fg/Wyq0r6JnhMQGlnWARYxgP3fTFOjifbgpO braFZ658amSkDvRK4KWU9NJFXo9u6AEHpDwqTvFmoWvWBi+ukBROTovW2S/RmbG2 aBWWQKlxxhyBNqwVcWISpBT43wHSHEaEo78grRha87zqB7Hn7lEZlXjKOmv//Q2C 6cSsg/vNjR1TKJfOONePyfxLAgDg+Ok0CcJJOPeCpohPP3Mwg3uBu/1im/3vkHdX tPkzWJ9kJNvKbOVJAIFHYg3o2Bp6YEbA15U1Q9eZnWqY5CnhAo4= =uDdN -----END PGP SIGNATURE----- --7jqv2n7jpxh5j4sz--