Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp1309354pxu; Fri, 16 Oct 2020 08:53:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0tiiH0AjjuUf3uEERhdAwzU0dykRkLC36+2EX7mcXl6/KPzt87YmfPN/kdIYChyo+bBVB X-Received: by 2002:a17:906:26c6:: with SMTP id u6mr4574536ejc.349.1602863638356; Fri, 16 Oct 2020 08:53:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602863638; cv=none; d=google.com; s=arc-20160816; b=y7z6Z7Qsjhzey/Ihg+7pkkvxtNYdWIPiIKULmaXBkQC9FuzdUILHB3iD/BD7Q0AEVt oZE8dLrkkhpazbGUd4ZH6EkIyWDpljevHn+bNnJKvZRE2gYIOZF7epqcTKsDoG9jBtH2 tcUcuUenSFI9tgIcle4FWnLs8iOgpMfR9vjnLIRAdAGSr9t9kYYp4q/rDusPAQFWYQpo mFULV/a9Hmp8NrQNjMlfaPBb4zO8JVA0kHb/EB07seLIzLWNqikN8eDsL1aWoCq65g7V ZWFpu3wUkqVD2MvlYRqIk5AJW/BX2eIkdaC2gjTvbW279LDtL1mfywaaQac8HrZOfnso vSvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=5UQZAgBcgAciVGlVNjL02/mE7SS/qeXCWtR+6WQ1uug=; b=dBY0lqq8j1DgH4JZ3ZaRu8c8LiABwwmNnLgjQyJy41s/fOGmRAoj05yJQ3T7CAKH5R 22dA/nARylkPqCND6UGN1T4+9ZQ9xasxbGwea/NSY33OE1TUpWvMENuM5JTP/yzqaymb Ouj92wRlg8d9w+qjBjaxdBvZqqFIUtZIn/FbjY0+aXlV2ybv4a0IGhLNiFhAzqNUobhp d+JZ/2UsHTWKy/LXFC4yln3j45gkhfgnn+OUZn8BnC7wgJYlbW+IDIcLxU4b0cpQB+MP ufikuKV7mEkJWYEis3+2z3J8rdP5umB3EQe0Q9d4nJw1zW0wiZUMGKeKsh5OqwwlTUAY Awag== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s6si2002537eju.387.2020.10.16.08.53.36; Fri, 16 Oct 2020 08:53:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2408912AbgJPOd4 (ORCPT + 99 others); Fri, 16 Oct 2020 10:33:56 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:48244 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405999AbgJPOdx (ORCPT ); Fri, 16 Oct 2020 10:33:53 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kTQnn-0006UY-CP; Fri, 16 Oct 2020 14:33:51 +0000 From: Colin King To: Matias Bjorling , =?UTF-8?q?Matias=20Bj=C3=B8rling?= , Jens Axboe , linux-block@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] lightnvm: fix out-of-bounds write to array devices->info[] Date: Fri, 16 Oct 2020 15:33:51 +0100 Message-Id: <20201016143351.677352-1-colin.king@canonical.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King There is an off-by-one array check that can lead to a out-of-bounds write to devices->info[i]. Fix this by checking by using >= rather than > for the size check. Also replace hard-coded array size limit with ARRAY_SIZE on the array. Addresses-Coverity: ("Out-of-bounds write") Fixes: cd9e9808d18f ("lightnvm: Support for Open-Channel SSDs") Signed-off-by: Colin Ian King --- drivers/lightnvm/core.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c index fe78bf0fdce5..f9f5dd38c697 100644 --- a/drivers/lightnvm/core.c +++ b/drivers/lightnvm/core.c @@ -1311,8 +1311,9 @@ static long nvm_ioctl_get_devices(struct file *file, void __user *arg) strlcpy(info->bmname, "gennvm", sizeof(info->bmname)); i++; - if (i > 31) { - pr_err("max 31 devices can be reported.\n"); + if (i >= ARRAY_SIZE(devices->info)) { + pr_err("max %zd devices can be reported.\n", + ARRAY_SIZE(devices->info)); break; } } -- 2.27.0