Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1671968pxa; Thu, 20 Aug 2020 18:06:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxM+fiILGb00GmKhyu505GPoZYT0qZMFeDWoGrcttEhGB/NCYrrSmyF6UQIYsup5PccHrO9 X-Received: by 2002:a17:906:4157:: with SMTP id l23mr435910ejk.491.1597971999585; Thu, 20 Aug 2020 18:06:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597971999; cv=none; d=google.com; s=arc-20160816; b=IXVVD2oInWR13BCnY+mUS3QJcYWO3vbr/pLWQd/4PNsTrKs5VLxxIk73sPNea2BxD1 CY0gm87LQLYe6UHI+cjBEly2Y/FA730F5dguzNwwcrvj8B06kDiIbx8zEXbW9cAy/2ND rZrgLpxfgEq7ww6ThA/pI+pNSrQvWHIHQdUaKk4F2ds1B+xkl7LkLK1Y9+4pGIpFUtPC 3vAp/W15cbGBY21n0u7Hwq4Q373KcJIGp8a33feUNZhfVSXZq/jMpnKQWzw3MOXdQITw NfsleW9C/FX8gxG7SNoboDRHDh+m5msOmH7sUthr5P4N5nesyMbhwNbXHLLLPrix9+5/ KhNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=z8CYglpu6MxxN4eAn59ZyO783ERDMkxv3LPmrKIyAvE=; b=PK8NlkzohDf86TWXoiD4lbelM++FePlZ74zswl8V8WKwYma8/71HgS/ge/RFQtmfoJ 9y1ITujYphcmiv2oa9toOenpuU+sMz6m6m+l0r3Vij6KMs9XlGMDaWSpPHqT1XEWyflM mpCnPmi5QGVTE52sYe5ZfiY1BOaLVJniakHe0F3iunTzvMr7hqYSlpwxvmWVmu5Nad+I jyS7ibRGEJee3dGO5zK5xehrUVldxTj6RtM+m5NeHsoJBadxYn5Pj9wpFG40j8yyQW/o lHh07/EvmArBNp5WWXDWqWNf5kqhZIXF3tUA1o3Zyt+Pvnet8NEvvEqEGABHH5cWaOMl s/cA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@broadcom.com header.s=dkimrelay header.b=HazYeEzK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lv25si111956ejb.396.2020.08.20.18.06.16; Thu, 20 Aug 2020 18:06:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=dkimrelay header.b=HazYeEzK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726819AbgHUBDl (ORCPT + 99 others); Thu, 20 Aug 2020 21:03:41 -0400 Received: from rnd-relay.smtp.broadcom.com ([192.19.229.170]:55920 "EHLO rnd-relay.smtp.broadcom.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726309AbgHUBDl (ORCPT ); Thu, 20 Aug 2020 21:03:41 -0400 Received: from mail-irv-17.broadcom.com (mail-irv-17.lvn.broadcom.net [10.75.242.48]) by rnd-relay.smtp.broadcom.com (Postfix) with ESMTP id 9C2BE30C016; Thu, 20 Aug 2020 18:01:04 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.10.3 rnd-relay.smtp.broadcom.com 9C2BE30C016 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=broadcom.com; s=dkimrelay; t=1597971664; bh=gfV9uR728yHTYUxg7H5ULAzW8rEUVFV045F+OHaYPqQ=; h=From:To:Cc:Subject:Date:From; b=HazYeEzKIGHdcBMStV0QAJpJ20cR1oqFarwW88uBZ3id4PtnGXyXZvPmW/LWkaddu TPIzdRAx9W0Db4XCVEUFJH5SXrhH38bfDK+IJdOPr46EfJLrAbU/UsEAjAMnjIsnkM rtvGP7HrXL92HHD2EOXPxEYsMerocf4crc9/r/S4= Received: from lbrmn-mmayer.ric.broadcom.net (lbrmn-mmayer.ric.broadcom.net [10.136.28.150]) by mail-irv-17.broadcom.com (Postfix) with ESMTP id BA7B214008B; Thu, 20 Aug 2020 18:03:38 -0700 (PDT) From: Markus Mayer To: Florian Fainelli , Colin Ian King , Krzysztof Kozlowski Cc: Markus Mayer , BCM Kernel Feedback , Linux ARM Kernel , Linux Kernel Subject: [PATCH] memory: brcmstb_dpfe: fix array index out of bounds Date: Thu, 20 Aug 2020 18:03:33 -0700 Message-Id: <20200821010333.20436-1-mmayer@broadcom.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We would overrun the error_text array if we hit a TIMEOUT condition, because we were using the error code "ETIMEDOUT" (which is 110) as an array index. We fix the problem by correcting the array index and by providing a function to retrieve error messages rather than accessing the array directly. The function includes a bounds check that prevents the array from being overrun. Signed-off-by: Markus Mayer --- This patch was prepared in response to https://lkml.org/lkml/2020/8/18/505. drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c index 81abc4a98a27..a986a849f58e 100644 --- a/drivers/memory/brcmstb_dpfe.c +++ b/drivers/memory/brcmstb_dpfe.c @@ -190,11 +190,6 @@ struct brcmstb_dpfe_priv { struct mutex lock; }; -static const char * const error_text[] = { - "Success", "Header code incorrect", "Unknown command or argument", - "Incorrect checksum", "Malformed command", "Timed out", -}; - /* * Forward declaration of our sysfs attribute functions, so we can declare the * attribute data structures early. @@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = { }, }; +static const char * const get_error_text(unsigned int i) +{ + static const char * const error_text[] = { + "Success", "Header code incorrect", + "Unknown command or argument", "Incorrect checksum", + "Malformed command", "Timed out", "Unknown error", + }; + + if (unlikely(i >= ARRAY_SIZE(error_text))) + i = ARRAY_SIZE(error_text) - 1; + + return error_text[i]; +} + static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv) { u32 val; @@ -446,7 +455,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd, } if (resp != 0) { mutex_unlock(&priv->lock); - return -ETIMEDOUT; + return -ffs(DCPU_RET_ERR_TIMEDOUT); } /* Compute checksum over the message */ @@ -695,7 +704,7 @@ static ssize_t generic_show(unsigned int command, u32 response[], ret = __send_command(priv, command, response); if (ret < 0) - return sprintf(buf, "ERROR: %s\n", error_text[-ret]); + return sprintf(buf, "ERROR: %s\n", get_error_text(-ret)); return 0; } -- 2.17.1