Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp393448pxa;
        Fri, 21 Aug 2020 09:56:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyxbzxrens6EKBk/s5RNoHIeB7dhQiEXHwrZtInMIDkqpB66sKTkiJGD+PQLbOv1huuwxGx
X-Received: by 2002:a17:906:b08:: with SMTP id u8mr3711094ejg.401.1598029002008;
        Fri, 21 Aug 2020 09:56:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598029002; cv=none;
        d=google.com; s=arc-20160816;
        b=an6k06dSTJhLdkbaEYSpHje1n2GhEItaYYPpSip2feA1G6cgd7kU2s0xh8T9nxxCEz
         ZM/OwUMQ+8UBLqYxsDPiry8uwlCGBdHUItWDanOPBQaM2LiSoCoxL8TPmd3WElsMAS5o
         t6FUf2XMhA+TjZ3YOdZ5zeafF+aMo9SjUVMzqMElYM0vPeY8h4kChfIrl+S566smv3Fb
         Ub/542VVKV+JgPUdGUwCjfQb/X/x8rMVkSuyngkBwblecGwMKnAFceHw/s3ItpdQEHXR
         satpgrGuK3zWNDob9arj9VlrsS6Ai+vBT5v7Vo/+7vhDU+J0Ehdj3m7Kb3znm3gP+Rr/
         6vug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:dkim-filter;
        bh=HltSw5UJiAcW4yBoyGmzVkpaaPJhkxo2kKHnaoPknEk=;
        b=ZisO9dOV+aHycFsY9rpCVoLhI3p9avvzde5HzFmMGZUpfRnnZNjx5jlICGJJuDYiBo
         7pXCQGfVguqo7ZjTRzOlDXyDvbDjYzxWKCUTZHUL/H8gqM6rRyoPbhBfOMV1daN6H6i6
         /qiyrROHH5etk9LoCZ9jF0EUAID54S39G38VyvIdnDFyyHTbR2eA4O31sPgDn/PXI29q
         arTGwZOeOP7LylAafDC9/F0hvVKkzFdsa9PcsiBLWBkkqPIn2jwNKhmF65/nQ6P9J1zs
         +iJTH4+0ZOc2Egsf/GXZ4bpZcY5queIg6a84AruNQn3A0yvjQlASnxkB5IzTne0oipmb
         hENw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@broadcom.com header.s=dkimrelay header.b=Na8jhfRp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 96si1717812edq.96.2020.08.21.09.56.17;
        Fri, 21 Aug 2020 09:56:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@broadcom.com header.s=dkimrelay header.b=Na8jhfRp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727914AbgHUQzt (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Fri, 21 Aug 2020 12:55:49 -0400
Received: from rnd-relay.smtp.broadcom.com ([192.19.229.170]:39806 "EHLO
        rnd-relay.smtp.broadcom.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728644AbgHUQwj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Aug 2020 12:52:39 -0400
Received: from mail-irv-17.broadcom.com (mail-irv-17.lvn.broadcom.net [10.75.242.48])
        by rnd-relay.smtp.broadcom.com (Postfix) with ESMTP id 3386A30C193;
        Fri, 21 Aug 2020 09:49:56 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 rnd-relay.smtp.broadcom.com 3386A30C193
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=broadcom.com;
        s=dkimrelay; t=1598028596;
        bh=1N277qLlwPe3wO79G1bB+4oXclXO8d32DbZS3HyRadQ=;
        h=From:To:Cc:Subject:Date:From;
        b=Na8jhfRpR8y7lbNjf/dOMgpbj+FQLlA1dRc4fIZ+D0+31C9SQvuEbj1prGbmHy/qx
         sTfb5MFF9KTPXm9U58ayVkcd0V4rkHJfkmgPOUJE8uZ/RbcngSR/H8FMG+XZODwRuW
         7M9RXa5z4lFxHhdCsw1O2iAOXrcVFhOvWY52B85U=
Received: from lbrmn-mmayer.ric.broadcom.net (lbrmn-mmayer.ric.broadcom.net [10.136.28.150])
        by mail-irv-17.broadcom.com (Postfix) with ESMTP id E31A214008D;
        Fri, 21 Aug 2020 09:52:32 -0700 (PDT)
From:   Markus Mayer <markus.mayer@broadcom.com>
To:     Florian Fainelli <f.fainelli@gmail.com>,
        Colin Ian King <colin.king@canonical.com>,
        Krzysztof Kozlowski <krzk@kernel.org>
Cc:     Markus Mayer <markus.mayer@broadcom.com>,
        BCM Kernel Feedback <bcm-kernel-feedback-list@broadcom.com>,
        Linux ARM Kernel <linux-arm-kernel@lists.infradead.org>,
        Linux Kernel <linux-kernel@vger.kernel.org>
Subject: [PATCH v2] memory: brcmstb_dpfe: fix array index out of bounds
Date:   Fri, 21 Aug 2020 09:52:21 -0700
Message-Id: <20200821165221.32267-1-mmayer@broadcom.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We would overrun the error_text array if we hit a TIMEOUT condition,
because we were using the error code "ETIMEDOUT" (which is 110) as an
array index.

We fix the problem by correcting the array index and by providing a
function to retrieve error messages rather than accessing the array
directly. The function includes a bounds check that prevents the array
from being overrun.

This patch was prepared in response to
    https://lkml.org/lkml/2020/8/18/505.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
---

Changes since v1:
    - Added link of the coverity report to the commit message.
    - Added Florian's ack.
    - Removed second "const" from get_error_text() return type
      (thanks to the kernel test robot).

 drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c
index e08528b12cbd..dcf50bb8dd69 100644
--- a/drivers/memory/brcmstb_dpfe.c
+++ b/drivers/memory/brcmstb_dpfe.c
@@ -188,11 +188,6 @@ struct brcmstb_dpfe_priv {
 	struct mutex lock;
 };
 
-static const char * const error_text[] = {
-	"Success", "Header code incorrect", "Unknown command or argument",
-	"Incorrect checksum", "Malformed command", "Timed out",
-};
-
 /*
  * Forward declaration of our sysfs attribute functions, so we can declare the
  * attribute data structures early.
@@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = {
 	},
 };
 
+static const char *get_error_text(unsigned int i)
+{
+	static const char * const error_text[] = {
+		"Success", "Header code incorrect",
+		"Unknown command or argument", "Incorrect checksum",
+		"Malformed command", "Timed out", "Unknown error",
+	};
+
+	if (unlikely(i >= ARRAY_SIZE(error_text)))
+		i = ARRAY_SIZE(error_text) - 1;
+
+	return error_text[i];
+}
+
 static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv)
 {
 	u32 val;
@@ -445,7 +454,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd,
 	}
 	if (resp != 0) {
 		mutex_unlock(&priv->lock);
-		return -ETIMEDOUT;
+		return -ffs(DCPU_RET_ERR_TIMEDOUT);
 	}
 
 	/* Compute checksum over the message */
@@ -695,7 +704,7 @@ static ssize_t generic_show(unsigned int command, u32 response[],
 
 	ret = __send_command(priv, command, response);
 	if (ret < 0)
-		return sprintf(buf, "ERROR: %s\n", error_text[-ret]);
+		return sprintf(buf, "ERROR: %s\n", get_error_text(-ret));
 
 	return 0;
 }
-- 
2.17.1