Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp673057pxa; Wed, 19 Aug 2020 11:37:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxaRFNOf85un0BBDX1Q4DviNKZM/ZpY4A9HbicV0ESwBZgPLWEoyvAL4Ervz2w0MxTXA1Ar X-Received: by 2002:a17:906:cc48:: with SMTP id mm8mr27605118ejb.292.1597862264415; Wed, 19 Aug 2020 11:37:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597862264; cv=none; d=google.com; s=arc-20160816; b=LY8BYBZvB+6CbGQHYe3Tzh9ZE4mHARIgtIQAh9mmwZu4mQ+0YYdJ7ChWYh/ir6zpJz PAnnH+6eyAKoFsQUJPNRVYiTXEkhJ/Rf1njsOWc1j4USHAY4Gfx3ACE2deSW7uKjE16J jGwrNPW2NeKfKZl5b+jBchY5Crjtg5aZRdpc8T4lXddKFr2ylMhIISEDOO74F8L68WWz K989CDySVFFykO1A/lMECAnTg2kIvrcul9YQw+w/Z5yNp5iH+gxYIKzM0KOEsLnJFl4O dYjeEzvxo/CuVkO4LhipSEkcbdNIc70UfFOYluKiU50LgUJE2vJ1lrf4IR3S9SN3ptJ+ lj6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:cc:to:subject:dkim-signature; bh=dzFPW98IjwdM/d9R5M1SWjP7FuXrdNZQLa1YSYNlGvg=; b=ki8s/7F8h2sJ3adLxCyABjOW9n6BJjqW1ddty9mUJrk8N4C2Y78lGVFJ/Fi0rS481O HPeMsgU1CAHLfjXrsVdZqXH0P3ZhFpwJ5dgA2kLqglef+uEUsZV4VsZCM6erPtub4TGa KJhXIaRWI/FHv02zwRAzR50LFnAoj2Nbe0rrm2vp7/No2kZN2bTh0X6yu74jVIdhgfWP VhoTsYQ4kE92WE+lj4JJG8Cjhwk78rBGwFnh4NgnmFPEWlVwquAPGmqsK7UxhWlTd/Gq 8BWV3PTZMHhfTjwMI3YklzQ9BbJIWvRKsKayyzThdGuy289QBtQ36U9ZWbymvrbwT1/E XTQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=b35WSx9x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u24si19290298edi.194.2020.08.19.11.37.19; Wed, 19 Aug 2020 11:37:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=b35WSx9x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726612AbgHSSeX (ORCPT + 99 others); Wed, 19 Aug 2020 14:34:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725997AbgHSSeT (ORCPT ); Wed, 19 Aug 2020 14:34:19 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 929A0C061757 for ; Wed, 19 Aug 2020 11:34:18 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id d6so27485251ejr.5 for ; Wed, 19 Aug 2020 11:34:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=dzFPW98IjwdM/d9R5M1SWjP7FuXrdNZQLa1YSYNlGvg=; b=b35WSx9x5p7dIjPVPT0eidtM6Hu2C3W8CxD7/aL9f5/+1IWMiT/ZUT03lBR0ukLUc8 H68pltA8qudPbZMeDxO3P4WNCUBR3L+0VotCNHt64CcrUr0iiNGi6IH5vBz+iuzwgzvP X9zM9qqUryToqrQMLMwIM3DEi/3aAv8nXrjrIHhh0yvDcpykKC/YYbtKr+jyjvaqZedt JdimRhcEqWPubFhiPQxbDZuAf9HXgWJAwpTrP+6NI30pm8CXMDKUJt99mIpEcLUqCtVD Yt5oVe0lHJ1nQz5G/SahcRv9jMhBEOCC0+8zf1cZ51s75EAokIeddTgpz3rl0IM2spTO bQ5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=dzFPW98IjwdM/d9R5M1SWjP7FuXrdNZQLa1YSYNlGvg=; b=NIM5jXld0X34O4nPbBWsxiViLL4WB1Bqatgy0P9AAyb7cAtES3OIOInTj/Xdv9bror aca2VI7ovk41vdvspfPGkvkKC3tvM3NDEt3SDUG8Zh8r4jqPMf+63ELL0EnSaNxJNj6S R6G5eKpw8WvuKdGd1gdXiFFywIeGvjY9WBZtSMRAcvV4lkMOWvtEZIR4elpPzPJiWBXy 8oJ8CSSN7WK9R+o/5/P5WDh7cr6kp+ibpnW281GkjXGU7GkzGZ6G5+Coq1wLPw1WNfLb C/trMC3iXKQOLjamNmIGv0zE5oPHdYeDB+UxI2RK2us5tK4aTxBB83g8IO/lvmaTKT1y VfPw== X-Gm-Message-State: AOAM533YIKvFulEHy0LedkEKZydvfSLIVudDVSVTQ5oD65JWf0QxPYVZ orlQl9y1k/MX3PhEUhXpid9bxFux3+8= X-Received: by 2002:a17:906:7108:: with SMTP id x8mr26330340ejj.447.1597862056902; Wed, 19 Aug 2020 11:34:16 -0700 (PDT) Received: from [10.67.50.75] ([192.19.223.252]) by smtp.googlemail.com with ESMTPSA id ss20sm19257425ejb.118.2020.08.19.11.34.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 19 Aug 2020 11:34:15 -0700 (PDT) Subject: Re: out of bounds access on array error_text[] because of -ETIMEDOUT return from __send_command() To: Colin Ian King , Markus Mayer , bcm-kernel-feedback-list@broadcom.com, Krzysztof Kozlowski , Florian Fainelli , linux-arm-kernel@lists.infradead.org Cc: "linux-kernel@vger.kernel.org" References: <38d00022-730c-948a-917c-d86382df8cb9@canonical.com> From: Florian Fainelli Autocrypt: addr=f.fainelli@gmail.com; prefer-encrypt=mutual; keydata= xsDiBEjPuBIRBACW9MxSJU9fvEOCTnRNqG/13rAGsj+vJqontvoDSNxRgmafP8d3nesnqPyR xGlkaOSDuu09rxuW+69Y2f1TzjFuGpBk4ysWOR85O2Nx8AJ6fYGCoeTbovrNlGT1M9obSFGQ X3IzRnWoqlfudjTO5TKoqkbOgpYqIo5n1QbEjCCwCwCg3DOH/4ug2AUUlcIT9/l3pGvoRJ0E AICDzi3l7pmC5IWn2n1mvP5247urtHFs/uusE827DDj3K8Upn2vYiOFMBhGsxAk6YKV6IP0d ZdWX6fqkJJlu9cSDvWtO1hXeHIfQIE/xcqvlRH783KrihLcsmnBqOiS6rJDO2x1eAgC8meAX SAgsrBhcgGl2Rl5gh/jkeA5ykwbxA/9u1eEuL70Qzt5APJmqVXR+kWvrqdBVPoUNy/tQ8mYc nzJJ63ng3tHhnwHXZOu8hL4nqwlYHRa9eeglXYhBqja4ZvIvCEqSmEukfivk+DlIgVoOAJbh qIWgvr3SIEuR6ayY3f5j0f2ejUMYlYYnKdiHXFlF9uXm1ELrb0YX4GMHz80nRmxvcmlhbiBG YWluZWxsaSA8Zi5mYWluZWxsaUBnbWFpbC5jb20+wmYEExECACYCGyMGCwkIBwMCBBUCCAME FgIDAQIeAQIXgAUCVF/S8QUJHlwd3wAKCRBhV5kVtWN2DvCVAJ4u4/bPF4P3jxb4qEY8I2gS 6hG0gACffNWlqJ2T4wSSn+3o7CCZNd7SLSDOwU0EVxvH8AEQAOqv6agYuT4x3DgFIJNv9i0e S443rCudGwmg+CbjXGA4RUe1bNdPHYgbbIaN8PFkXfb4jqg64SyU66FXJJJO+DmPK/t7dRNA 3eMB1h0GbAHlLzsAzD0DKk1ARbjIusnc02aRQNsAUfceqH5fAMfs2hgXBa0ZUJ4bLly5zNbr r0t/fqZsyI2rGQT9h1D5OYn4oF3KXpSpo+orJD93PEDeseho1EpmMfsVH7PxjVUlNVzmZ+tc IDw24CDSXf0xxnaojoicQi7kzKpUrJodfhNXUnX2JAm/d0f9GR7zClpQMezJ2hYAX7BvBajb Wbtzwi34s8lWGI121VjtQNt64mSqsK0iQAE6OYk0uuQbmMaxbBTT63+04rTPBO+gRAWZNDmQ b2cTLjrOmdaiPGClSlKx1RhatzW7j1gnUbpfUl91Xzrp6/Rr9BgAZydBE/iu57KWsdMaqu84 JzO9UBGomh9eyBWBkrBt+Fe1qN78kM7JO6i3/QI56NA4SflV+N4PPgI8TjDVaxgrfUTV0gVa cr9gDE5VgnSeSiOleChM1jOByZu0JTShOkT6AcSVW0kCz3fUrd4e5sS3J3uJezSvXjYDZ53k +0GS/Hy//7PSvDbNVretLkDWL24Sgxu/v8i3JiYIxe+F5Br8QpkwNa1tm7FK4jOd95xvYADl BUI1EZMCPI7zABEBAAHCwagEGBECAAkFAlcbx/ACGwICKQkQYVeZFbVjdg7BXSAEGQECAAYF Alcbx/AACgkQh9CWnEQHBwSJBw//Z5n6IO19mVzMy/ZLU/vu8flv0Aa0kwk5qvDyvuvfiDTd WQzq2PLs+obX0y1ffntluhvP+8yLzg7h5O6/skOfOV26ZYD9FeV3PIgR3QYF26p2Ocwa3B/k P6ENkk2pRL2hh6jaA1Bsi0P34iqC2UzzLq+exctXPa07ioknTIJ09BT31lQ36Udg7NIKalnj 5UbkRjqApZ+Rp0RAP9jFtq1n/gjvZGyEfuuo/G+EVCaiCt3Vp/cWxDYf2qsX6JxkwmUNswuL C3duQ0AOMNYrT6Pn+Vf0kMboZ5UJEzgnSe2/5m8v6TUc9ZbC5I517niyC4+4DY8E2m2V2LS9 es9uKpA0yNcd4PfEf8bp29/30MEfBWOf80b1yaubrP5y7yLzplcGRZMF3PgBfi0iGo6kM/V2 13iD/wQ45QTV0WTXaHVbklOdRDXDHIpT69hFJ6hAKnnM7AhqZ70Qi31UHkma9i/TeLLzYYXz zhLHGIYaR04dFT8sSKTwTSqvm8rmDzMpN54/NeDSoSJitDuIE8givW/oGQFb0HGAF70qLgp0 2XiUazRyRU4E4LuhNHGsUxoHOc80B3l+u3jM6xqJht2ZyMZndbAG4LyVA2g9hq2JbpX8BlsF skzW1kbzIoIVXT5EhelxYEGqLFsZFdDhCy8tjePOWK069lKuuFSssaZ3C4edHtkZ8gCfWWtA 8dMsqeOIg9Trx7ZBCDOZGNAAnjYQmSb2eYOAti3PX3Ex7vI8ZhJCzsNNBEjPuBIQEAC/6NPW 6EfQ91ZNU7e/oKWK91kOoYGFTjfdOatp3RKANidHUMSTUcN7J2mxww80AQHKjr3Yu2InXwVX SotMMR4UrkQX7jqabqXV5G+88bj0Lkr3gi6qmVkUPgnNkIBe0gaoM523ujYKLreal2OQ3GoJ PS6hTRoSUM1BhwLCLIWqdX9AdT6FMlDXhCJ1ffA/F3f3nTN5oTvZ0aVF0SvQb7eIhGVFxrlb WS0+dpyulr9hGdU4kzoqmZX9T/r8WCwcfXipmmz3Zt8o2pYWPMq9Utby9IEgPwultaP06MHY nhda1jfzGB5ZKco/XEaXNvNYADtAD91dRtNGMwRHWMotIGiWwhEJ6vFc9bw1xcR88oYBs+7p gbFSpmMGYAPA66wdDKGj9+cLhkd0SXGht9AJyaRA5AWB85yNmqcXXLkzzh2chIpSEawRsw8B rQIZXc5QaAcBN2dzGN9UzqQArtWaTTjMrGesYhN+aVpMHNCmJuISQORhX5lkjeg54oplt6Zn QyIsOCH3MfG95ha0TgWwyFtdxOdY/UY2zv5wGivZ3WeS0TtQf/BcGre2y85rAohFziWOzTaS BKZKDaBFHwnGcJi61Pnjkz82hena8OmsnsBIucsz4N0wE+hVd6AbDYN8ZcFNIDyt7+oGD1+c PfqLz2df6qjXzq27BBUboklbGUObNwADBQ//V45Z51Q4fRl/6/+oY5q+FPbRLDPlUF2lV6mb hymkpqIzi1Aj/2FUKOyImGjbLAkuBQj3uMqy+BSSXyQLG3sg8pDDe8AJwXDpG2fQTyTzQm6l OnaMCzosvALk2EOPJryMkOCI52+hk67cSFA0HjgTbkAv4Mssd52y/5VZR28a+LW+mJIZDurI Y14UIe50G99xYxjuD1lNdTa/Yv6qFfEAqNdjEBKNuOEUQOlTLndOsvxOOPa1mRUk8Bqm9BUt LHk3GDb8bfDwdos1/h2QPEi+eI+O/bm8YX7qE7uZ13bRWBY+S4+cd+Cyj8ezKYAJo9B+0g4a RVhdhc3AtW44lvZo1h2iml9twMLfewKkGV3oG35CcF9mOd7n6vDad3teeNpYd/5qYhkopQrG k2oRBqxyvpSLrJepsyaIpfrt5NNaH7yTCtGXcxlGf2jzGdei6H4xQPjDcVq2Ra5GJohnb/ix uOc0pWciL80ohtpSspLlWoPiIowiKJu/D/Y0bQdatUOZcGadkywCZc/dg5hcAYNYchc8AwA4 2dp6w8SlIsm1yIGafWlNnfvqbRBglSTnxFuKqVggiz2zk+1wa/oP+B96lm7N4/3Aw6uy7lWC HvsHIcv4lxCWkFXkwsuWqzEKK6kxVpRDoEQPDj+Oy/ZJ5fYuMbkdHrlegwoQ64LrqdmiVVPC TwQYEQIADwIbDAUCVF/S8QUJHlwd3wAKCRBhV5kVtWN2Do+FAJ956xSz2XpDHql+Wg/2qv3b G10n8gCguORqNGMsVRxrlLs7/himep7MrCc= Message-ID: <4acc34c4-9c17-41f7-2e39-7eda16792572@gmail.com> Date: Wed, 19 Aug 2020 11:34:12 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <38d00022-730c-948a-917c-d86382df8cb9@canonical.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/18/20 5:21 AM, Colin Ian King wrote: > Hi, > > static analysis with coverity has found a buffer overflow issue with the > brcmstb driver, I believe it may have been introduced with the following > commit: > > commit a7c25759d8d84b64c437a78f05df7314b02934e5 > Author: Markus Mayer > Date: Tue Apr 2 16:01:00 2019 -0700 > > memory: brcmstb: dpfe: wait for DCPU to be ready > > The static analysis is as follows for the source file > /drivers/memory/brcmstb_dpfe.c : > > 684 static ssize_t generic_show(unsigned int command, u32 response[], > 685 struct brcmstb_dpfe_priv *priv, char *buf) > 686 { > 687 int ret; > 688 > 1. Condition !priv, taking false branch. > > 689 if (!priv) > 690 return sprintf(buf, "ERROR: driver private data not > set\n"); > 691 > 2. return_constant: Function call __send_command(priv, command, > response) may return -110. > 3. assignment: Assigning: ret = __send_command(priv, command, > response). The value of ret is now -110. > > 692 ret = __send_command(priv, command, response); > 4. Condition ret < 0, taking true branch. > > 693 if (ret < 0) > > Out-of-bounds read (OVERRUN) > 5. overrun-local: Overrunning array error_text of 6 8-byte elements > at element index 110 (byte offset 887) using index -ret (which evaluates > to 110). > 694 return sprintf(buf, "ERROR: %s\n", error_text[-ret]); > 695 > 696 return 0; > 697 } > > > Function __send_command() can return -ETIMEDOUT and this causes an > out-of-bounds access on error_text[]. Markus, what do you think of this: diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c index 60e8633b1175..b41c6251ddc3 100644 --- a/drivers/memory/brcmstb_dpfe.c +++ b/drivers/memory/brcmstb_dpfe.c @@ -445,7 +445,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd, } if (resp != 0) { mutex_unlock(&priv->lock); - return -ETIMEDOUT; + return -ffs(DCPU_RET_ERR_TIMEDOUT); } /* Compute checksum over the message */ That way we only return DCPU-style error code from __send_command and we de-reference error_text accordingly? Or we could just introduce a proper lookup with a function instead of a direct array de-reference. -- Florian