Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5580855ybi; Sun, 7 Jul 2019 08:04:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqxjpB1WRTwgATggwCqkNVnR0Y8p8rChIAB3HS+IvCOkz6bGaR5nCRqsQ3tCLnQCt1213kpI X-Received: by 2002:a17:902:2bc5:: with SMTP id l63mr18675277plb.30.1562511885565; Sun, 07 Jul 2019 08:04:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562511885; cv=none; d=google.com; s=arc-20160816; b=dzIKVkW3Q7Zq8bkkCrtbYibeLDrqWhoO2s0PJOB/0rCEnYkfZXqPZMDhU6cAzErh7M 8GlCXkbURhWic07g8M70Pv2bD684ARWiRpFv7EvHmMBFAaJV7UJAoZMNV7HkGJOT+p6N 5PVE73/artC9+rHGLqybqv8/lNPuCMFRxkj/qrYkSzehCzK8tOZkJBzXTDpPt6z8mqzd and9OOMyQ7lMYz7/Ko+y2peyWEpSJ7YFeklmf7jSJtxvUNkq6ImAXsFmCijqSH2Ln7mT i5FL6vsLrLKRUu7VNZknsik3JZCCjma+7nyeor0alhfeg7KvEnckHs4eLvex3YPjfjd3 A7Fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=RzgqI621aWGbDHGCfudOESl9Mn0+99CKDMGTJU72pEQ=; b=JlBO3E1mxpXFzhIzb/VtWwZM0cqs8G0YHhJTXKLlIKQgTJNnfXeaLhO/Vqo5cTT2Ed 8fDjsPxT9wZnDvRX//GVwy0O1N5tvkBMA3Ish8Rm7CbeodOxLTwUJOiba+1jKDQ7u/j1 gUlbJAqcWUdl6Ho+8cdQrqfA4rLYX7J4D1VHzLfYcQEkh502rSFOBv8HkXHMulZ0Hb/T 5X2gralFFttbzcXyvGGWCvAj7Y0Hsc9h8VxbRchgOVgDHImozoWriScF2DIcPzbPuDSC OR3GTrFgBUmGIXhfMTeWHdxLbylqMlARJmlV0QasvB7ZMd0rUQ0NCnxInKyp59Jst9eP f6vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CwB7zMo8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a10si15637934pfc.55.2019.07.07.08.04.01; Sun, 07 Jul 2019 08:04:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CwB7zMo8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727077AbfGGOYq (ORCPT + 99 others); Sun, 7 Jul 2019 10:24:46 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:33890 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726302AbfGGOYq (ORCPT ); Sun, 7 Jul 2019 10:24:46 -0400 Received: by mail-pl1-f196.google.com with SMTP id i2so6889503plt.1 for ; Sun, 07 Jul 2019 07:24:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=RzgqI621aWGbDHGCfudOESl9Mn0+99CKDMGTJU72pEQ=; b=CwB7zMo8m+w+lYJl2AfFe4HLR6Af2kKEyirdj9kyWsC7IuEg47plHvVYVf7qJZN6zl WC15Aw1sKoacOYgHqBYdZDpY78sPn9+yY46HBFwrVctnLEODvL6dYPImuk1dhzlqyM6/ LrJIonOcgzJRi8yLkivwfPhfI8s0uUdmlL2fg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=RzgqI621aWGbDHGCfudOESl9Mn0+99CKDMGTJU72pEQ=; b=CrK+DekTU3D4SJikA6ehhz209fwYX4YT3QU0W9Zy6BS19bHkK9DiDyVzNR/nXxuGZy +PKcpKHMF3Gw52YX9fxXZzLT3jfywlTOHr04XxEqHjCgavsIkzsuCRLCuXDsE0j7wXyW gGzLcjumQWQZhq8MdV2XgzYJOMIMFIYFRH1AjCIyec4IFyKXAx/VO33p9ecesGNUDwr2 dasI01a9llB4f1f/eGbWjXpXZiYRJ6sKCpz4Tb4jFyTdAG95JLI2mPBXXh6aRW9uiW48 W9IkU1kO+19xElX1kR3y2TiCStg7DDiog+yNK/gWuE/VTRn6dzAQOPBJoqmgunb+XUMK dj3g== X-Gm-Message-State: APjAAAWEiyO6XaqeNB9c6P/pr+zoeeHbKOh/3YiJ23ki8frvsoO2RFL7 3HaxW+UBBjwislKJHK0ydi2f+Lr8Yxk= X-Received: by 2002:a17:902:e40f:: with SMTP id ci15mr17885407plb.103.1562509485880; Sun, 07 Jul 2019 07:24:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id b29sm30544119pfr.159.2019.07.07.07.24.44 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 07 Jul 2019 07:24:44 -0700 (PDT) Date: Sun, 7 Jul 2019 07:24:43 -0700 From: Kees Cook To: Boris Brezillon Cc: Philipp Zabel , Ezequiel Garcia , linux-media@vger.kernel.org, Hans Verkuil , kernel@collabora.com, Nicolas Dufresne , Tomasz Figa , linux-rockchip@lists.infradead.org, Heiko Stuebner , Jonas Karlman , Paul Kocialkowski , Alexandre Courbot , fbuergisser@chromium.org, linux-kernel@vger.kernel.org, ZhiChao Yu Subject: Re: [PATCH v2 2/2] media: hantro: Add support for VP8 decoding on rk3288 Message-ID: <201907070704.D6C5A32D@keescook> References: <20190702170016.5210-1-ezequiel@collabora.com> <20190702170016.5210-3-ezequiel@collabora.com> <1562164006.4604.7.camel@pengutronix.de> <20190704091934.3524f019@collabora.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190704091934.3524f019@collabora.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 04, 2019 at 09:19:34AM +0200, Boris Brezillon wrote: > Hm, I fear we have the same problem in other places (including the > patch series adding support for H264). Kees, I wonder if there's some > kind of safe array iterator macro, something like > > #define for_each_static_array_entry_safe(_array, _iter, _max_user) \ > _max_user = min_t(typeof(_max_user), _max_user, ARRAY_SIZE(_array)); \ > for (_iter = 0; _iter < _max_user; _iter++) This seems like a good idea to add, yes. As you've hinted in the macro name, it won't work for allocated arrays (though perhaps we could add support for such things with some kind of new array allocator that included the allocation count, but that's a separate issue). I bet static analysis could find cases to use for the above macro too. > The problem with this approach is that it's papering over the real > issue, which is that hdr->num_dct_parts should be checked and the > driver/core should return an error when it's > 7 instead of silently > iterating over the 8 entries of the dct[] arrays. Static code analysis > tools can probably detect such issues too. To avoid the papering-over bit, the macro could be like this instead, where the clamping would throw a WARN(): #define clamp_warn(val, lo, hi) ({ \ typeof(val) __val; \ __val = clamp_t(typeof(val), lo, hi); \ WARN_ONCE(__val != val); \ __val }) #define for_each_static_array_entry_safe(_array, _iter, _max_user) \ _max_user = clamp_warn(_max_user, 0, ARRAY_SIZE(_array)); \ for (_iter = 0; _iter < _max_user; _iter++) This does have the side-effect of clamping _max_user to ARRAY_SIZE(_array), though that might be good in most cases? (Also, is the "entry_safe" name portion the right thing here? It's not doing anything "safe" like the RCU versions, and there is no "entry" since the expectation is to use the _iter value?) > Any advice on how to detect such problems early on? Doing static analysis on this means a tool would need to know the range of values coming in. I wonder if Coverity noticed this problem? -- Kees Cook