Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp390349pxa; Fri, 21 Aug 2020 09:51:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwUZbfSz7L0vu7AkjvDy2Y+i6oRx5p5ig7uX81Jf10KesfMdMewWDsf8TIhUWufb+GNeOzY X-Received: by 2002:a17:906:f107:: with SMTP id gv7mr3513971ejb.519.1598028681518; Fri, 21 Aug 2020 09:51:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598028681; cv=none; d=google.com; s=arc-20160816; b=RhJ5s3TnLw9gqPu/5aGx3J7cNk9cu0FrYpfRfN8Ve0kjsmxY2K8eYLMOfJHIuF0/2J w+bhs4Tvh02c5sNEDHtwjHPEKAH//ME2XnPgdLUvjVPV4vWCr3PgVFWD8CJThFrRpw/i RdU400gZbera2IuxYvUXWOjLDqddrJQl0nA7dJXo5evw28NP28yr4yB4tbQBTys+dsLO TK6ExcuPJvqAdWD5RaKRc61eKup8VyiJkvfINXiBpmTiC64EzMbi5p4K7NCEKMR/Za/6 3yfFXT2e34vc19T/TnTPMnU/uT/CrEEz1GyZZAooJL/uzPJJLOCcYurQ/DcJStnQ2Ll4 k/fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=XYCTWQk0laqVOOppyvOGRK+sDe7eGSnOJ2JCeNqCPQ0=; b=LAlurAsucEZLP/UtZokf8mL8/kMkAOGwCMU/MVLL04No4NsVkE++lnBknD0eGOLfNm OAOA1V8Dy/yDdtxLiiZy+xruLh+jlp2AUWR9NNM5yUPb0uL+JyEbU5Poj1v69pGGF4we gDEWjFEOg2B0MTR4GlH8023k9z8xPz6j9Cktd9phOSCW0wF9C6glPQx2aNuaaLe38V4a XgkuvQfTF2zujOvkxcoFKhzbOl+OUypYslnAH/17XFdtB5JHd+Ete6lHZnKVDmBL0Eo6 WnMq8meH4OtvDhFsOzxuaO87qGMjmrnp9R+6ayzKWlSd7L9VDKn4B7kKHGhcLYXCqHgE VN3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=X2CKbIJp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j14si1561389ejd.406.2020.08.21.09.50.57; Fri, 21 Aug 2020 09:51:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=X2CKbIJp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728712AbgHUQuX (ORCPT + 99 others); Fri, 21 Aug 2020 12:50:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728146AbgHUQuE (ORCPT ); Fri, 21 Aug 2020 12:50:04 -0400 Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EFA2FC061573 for ; Fri, 21 Aug 2020 09:50:02 -0700 (PDT) Received: by mail-ej1-x644.google.com with SMTP id t10so3063505ejs.8 for ; Fri, 21 Aug 2020 09:50:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XYCTWQk0laqVOOppyvOGRK+sDe7eGSnOJ2JCeNqCPQ0=; b=X2CKbIJpkTLzgsWlRP2JtwgYiIBv9S4Mpnx7WMBh0JyqpACFEgKE+3vA7rlr69KGUn 5Hl6n9+E2bNe+8mWI+oeHmzBZlI3Yj4dVgrd7RjSj3HYesfFzOtaJdOzOFCFS0oP5217 xzwK7efDRNOIMCEcMDNmW2OIM5HpArpLEOmpg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XYCTWQk0laqVOOppyvOGRK+sDe7eGSnOJ2JCeNqCPQ0=; b=jJxKS6DiHz/gOkgssTJ/sZRBL4+9inkMeHmefz7Tbi09GvULK19Ym56P5s/mXMsEEq F+U+xqkiwqIVsaRIOR85q6hYlhwVrO/4orkruo37SzMB9km8DDF0oTyxLn8ZGIXdmA99 ZHSurgXtRSOk9h4K6G/S5CthL0J5rlXwny/D0YJufeO1TkZuBUp2hlUGW5DK7hntvEf8 Bdvb90yrWDHCNYkXivtFqDOUGM2oJCiXXKV6LWRl7F2epleA44OlpUOYg/8pjen89qHG G2cgSCY9EAWqzcrO1lX3tGB40d1pe8kCCkgpyI9Mvlz8EM8SuwJ9bsqkoVLGbcBrvdkz Ughg== X-Gm-Message-State: AOAM533Z2/BwnC5/RAw0+S0oz2rf4oFNWvIRnSd+Jtg2DoecFIxGB03M athe/F0eS3DlPI2Ux1LPg70cEH2cao0hlmGqt0gxuQ== X-Received: by 2002:a17:906:d054:: with SMTP id bo20mr3931788ejb.9.1598028601414; Fri, 21 Aug 2020 09:50:01 -0700 (PDT) MIME-Version: 1.0 References: <20200821010333.20436-1-mmayer@broadcom.com> <20200821054023.GA3906@kozik-lap> In-Reply-To: <20200821054023.GA3906@kozik-lap> From: Markus Mayer Date: Fri, 21 Aug 2020 09:49:50 -0700 Message-ID: Subject: Re: [PATCH] memory: brcmstb_dpfe: fix array index out of bounds To: Krzysztof Kozlowski Cc: Florian Fainelli , Colin Ian King , BCM Kernel Feedback , Linux ARM Kernel , Linux Kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 20 Aug 2020 at 22:40, Krzysztof Kozlowski wrote: > > On Thu, Aug 20, 2020 at 06:03:33PM -0700, Markus Mayer wrote: > > We would overrun the error_text array if we hit a TIMEOUT condition, > > because we were using the error code "ETIMEDOUT" (which is 110) as an > > array index. > > > > We fix the problem by correcting the array index and by providing a > > function to retrieve error messages rather than accessing the array > > directly. The function includes a bounds check that prevents the array > > from being overrun. > > > > Signed-off-by: Markus Mayer > > --- > > > > This patch was prepared in response to https://lkml.org/lkml/2020/8/18/505. > > > > drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++------- > > 1 file changed, 16 insertions(+), 7 deletions(-) > > > > diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c > > index 81abc4a98a27..a986a849f58e 100644 > > --- a/drivers/memory/brcmstb_dpfe.c > > +++ b/drivers/memory/brcmstb_dpfe.c > > @@ -190,11 +190,6 @@ struct brcmstb_dpfe_priv { > > struct mutex lock; > > }; > > > > -static const char * const error_text[] = { > > - "Success", "Header code incorrect", "Unknown command or argument", > > - "Incorrect checksum", "Malformed command", "Timed out", > > -}; > > - > > /* > > * Forward declaration of our sysfs attribute functions, so we can declare the > > * attribute data structures early. > > @@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = { > > }, > > }; > > > > +static const char * const get_error_text(unsigned int i) > > The pointer itself is returned by value and you cannot return a const > value. I mean, you can but it does not have an effect. Only pointed > memory should be const (const const char*). v2 is on the way. Regards, -Markus > > +{ > > + static const char * const error_text[] = { > > + "Success", "Header code incorrect", > > + "Unknown command or argument", "Incorrect checksum", > > + "Malformed command", "Timed out", "Unknown error", > > + }; > > + > > + if (unlikely(i >= ARRAY_SIZE(error_text))) > > + i = ARRAY_SIZE(error_text) - 1; > > + > > + return error_text[i]; > > +} > > + > > static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv) > > { > > u32 val; > > @@ -446,7 +455,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd, > > } > > if (resp != 0) { > > mutex_unlock(&priv->lock); > > - return -ETIMEDOUT; > > + return -ffs(DCPU_RET_ERR_TIMEDOUT); > > } > > > > /* Compute checksum over the message */ > > @@ -695,7 +704,7 @@ static ssize_t generic_show(unsigned int command, u32 response[], > > > > ret = __send_command(priv, command, response); > > if (ret < 0) > > - return sprintf(buf, "ERROR: %s\n", error_text[-ret]); > > + return sprintf(buf, "ERROR: %s\n", get_error_text(-ret)); > > > > return 0; > > } > > -- > > 2.17.1 > >