Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp672241pxb;
        Wed, 18 Nov 2020 14:09:32 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxjxhRS7pd4EKx/JFqwWayr9Zq2XqOZaXib40ET81ksqKLZ56+r3CcDDcY4GmpyEkEcA1z6
X-Received: by 2002:a17:906:3c53:: with SMTP id i19mr8009016ejg.392.1605737372106;
        Wed, 18 Nov 2020 14:09:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605737372; cv=none;
        d=google.com; s=arc-20160816;
        b=Twi3R+rUvg5IiWWeL1ofp+WLzV7XozmKyS4QqVvNZazI+gUHY/9XnIiWfdgtR/V3Kk
         F9BPypO95Wxc9s1DQTYlinpeokruBuPuTb4dvk6f1/MVnQz+C7C6tDeH6rbIJPGqrUKd
         E8mrhLI5A5ugt2ymRmzia7uHuhKls2VcQZu6mNXh9oFC5EhjW0yHPq3FMqKrcDzlyvBT
         4mQWioVHIkq2OBmcyBGoABK0VHAZydT51Oa9CXU1JCqsFtSGLnhGZghLlMIvSCmcd5JR
         Y5wWIsJWjfZmkFfL2NOmMMPKWmxI1DahEr4Pz0lTP2NjSUja3M05Fv6n618XQFv3aXrU
         wgow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=cB18Q6WIsJ34xwv/CrUkFyamgNy48jg/fEYUsWwMnQk=;
        b=dfq9HfhE9kOLk6y0E25LPgOF+lfgB9NhBW+IjL3+iwLnBOLOPrQAmKMOXP3ClchthQ
         firEtJHMTaURZVapiyVzDst670eClBN0pOIoPxRO+84o18o8RQqdrYPYZBN6qjOT0OAs
         hhnEetwr2MQQXOGogNx8nRTgqbSepI8otUicOKyecJ5HfrPXGlirjqO2FWY7dKNLVmk2
         jxRdpbgpMmrBpKfrUMaSuo6fn0U4s3f0rRUQSCCY/ZjiybwU+QZPGdPlV+gr280H+VN+
         01NgxJGnTmgwHBqm8f+TM7xudWyfQM69FG4X9E8iXtN+047q1FvLaAZgS/2vkvyyXi0L
         hlCg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bi10si12550305edb.483.2020.11.18.14.09.03;
        Wed, 18 Nov 2020 14:09:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727145AbgKRWFu (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Wed, 18 Nov 2020 17:05:50 -0500
Received: from jabberwock.ucw.cz ([46.255.230.98]:34414 "EHLO
        jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725822AbgKRWFt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Nov 2020 17:05:49 -0500
Received: by jabberwock.ucw.cz (Postfix, from userid 1017)
        id 3FAC71C0B87; Wed, 18 Nov 2020 23:05:46 +0100 (CET)
Date:   Wed, 18 Nov 2020 23:05:45 +0100
From:   Pavel Machek <pavel@ucw.cz>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Stephane Grosjean <s.grosjean@peak-system.com>,
        Marc Kleine-Budde <mkl@pengutronix.de>,
        Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 4.19 019/101] can: peak_usb: add range checking in decode
 operations
Message-ID: <20201118220545.GB23840@amd>
References: <20201117122113.128215851@linuxfoundation.org>
 <20201117122114.030656831@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="Y7xTucakfITjPcLV"
Content-Disposition: inline
In-Reply-To: <20201117122114.030656831@linuxfoundation.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--Y7xTucakfITjPcLV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

HI!

> From: Dan Carpenter <dan.carpenter@oracle.com>
>=20
> [ Upstream commit a6921dd524fe31d1f460c161d3526a407533b6db ]
>=20
> These values come from skb->data so Smatch considers them untrusted.  I
> believe Smatch is correct but I don't have a way to test this.
>=20
> The usb_if->dev[] array has 2 elements but the index is in the 0-15
> range without checks.  The cfd->len can be up to 255 but the maximum
> valid size is CANFD_MAX_DLEN (64) so that could lead to memory
> corruption.

If this is untrusted, does it need to use _nospec() variants?

> index 41988358f63c8..19600d35aac55 100644
> --- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
> +++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
> @@ -476,12 +476,18 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_us=
b_fd_if *usb_if,
>  				     struct pucan_msg *rx_msg)
>  {
=2E..
>  	const u16 rx_msg_flags =3D le16_to_cpu(rm->flags);
> =20
> +	if (pucan_msg_get_channel(rm) >=3D ARRAY_SIZE(usb_if->dev))
> +		return -ENOMEM;

Furthermore, should it use -EINVAL here

> +	if (pucan_stmsg_get_channel(sm) >=3D ARRAY_SIZE(usb_if->dev))
> +		return -ENOMEM;

and here, and perhaps use a helper function?

Best regards,
								Pavel

--=20
http://www.livejournal.com/~pavelmachek

--Y7xTucakfITjPcLV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAl+1mrkACgkQMOfwapXb+vIKvwCePWcS9J0JMSVUbaioUvBR68C5
R6UAoKGNGoTw/A6Pf/o/+7F3X63wATXW
=AI7I
-----END PGP SIGNATURE-----

--Y7xTucakfITjPcLV--