Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp2647558pxy;
        Tue, 3 Aug 2021 11:22:16 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxp7cDCun8cNlyJYaAmfPMhxdIAie/ZapuheakgadD/sSgEZWFPE74Udq23t25CJ4ljubqm
X-Received: by 2002:a05:6602:2801:: with SMTP id d1mr1287113ioe.73.1628014935930;
        Tue, 03 Aug 2021 11:22:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628014935; cv=none;
        d=google.com; s=arc-20160816;
        b=qJffGaCH0Gxi/tOSUTTEZu+yygZibPTkTqfTm0qKWarQIwj257lqBg8Zb3toiLUGUl
         1JFJ8iEdA8HCNlXwrjBj/bn2gGdNAZdqiZ7u2oKsKMDbqpSAt1xaisHPgw7wHZK3WWBD
         gSZmEM1NbG3lWjEXXe28xjhoPEuFTv+SWW82pOQRwzfp//HVBewkCS+bf+0M2c2NrywC
         rcBQiHJvlloeDBOYheSreaNHWCj3B953+HfM38UX63JtIcYQAlPNC9Tpt4ejGN8gsFVG
         tYFqgKo91pvRpkTSFY7OOoFYfumyzkWIR/Ccny+hKF80+lGODbVcmF/tJNBxzdUKB19w
         nekw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=b0d19u1JKtexMXEhvOPqiYJWUbQlE9CMGGbIm+W15zo=;
        b=wbaaSsCcTPvbvgj1l366AVvWdeaX4mPrI7CZqOyw4XJWO1+7UPX4ThN1jTuirTg7fQ
         Z6Tu4KbfB6yH3LpojBy2MVjsFQxqcKEfN1r2Wu/vxlLAWJn1GpsRYslPyyQm96RV+5cN
         NnKs99C+fVLdcNh1EFY0iX2Ty6S6zCblonkVuQzx/2bMReL1uDF6AqRpZAgK4O+2BkmN
         yHDABUjfUJPipP6SKDJZ8rAbh0SOWMFD6+jZjD7EesM93eLGHGLlwYOCACXdeJYoCQ2d
         jfWrYF1t5yqn/jkBPPHmT4/kP0oWlfhUYcSxPDoqoHs6b+Z5bCQgyhaR5GOVz7AzG+AR
         V4wQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e20si19063834iow.6.2021.08.03.11.22.03;
        Tue, 03 Aug 2021 11:22:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238736AbhHCSLw (ORCPT <rfc822;liq3ea@gmail.com> + 99 others);
        Tue, 3 Aug 2021 14:11:52 -0400
Received: from mail.ispras.ru ([83.149.199.84]:36584 "EHLO mail.ispras.ru"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229812AbhHCSLv (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Aug 2021 14:11:51 -0400
Received: from hellwig.intra.ispras.ru (unknown [10.10.2.182])
        by mail.ispras.ru (Postfix) with ESMTPS id 5FE6640D3BFF;
        Tue,  3 Aug 2021 18:11:36 +0000 (UTC)
From:   Evgeny Novikov <novikov@ispras.ru>
To:     Rajneesh Bhardwaj <irenic.rajneesh@gmail.com>
Cc:     Evgeny Novikov <novikov@ispras.ru>,
        David E Box <david.e.box@intel.com>,
        Hans de Goede <hdegoede@redhat.com>,
        Mark Gross <mgross@linux.intel.com>,
        "David E. Box" <david.e.box@linux.intel.com>,
        Gayatri Kammela <gayatri.kammela@intel.com>,
        platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org
Subject: [PATCH] platform/x86: intel_pmc_core: Fix potential buffer overflows
Date:   Tue,  3 Aug 2021 21:11:35 +0300
Message-Id: <20210803181135.22298-1-novikov@ispras.ru>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

It looks like pmc_core_get_low_power_modes() mixes up modes and
priorities. In addition to invalid behavior, potentially this can
cause buffer overflows since the driver reads priorities from the
register and then it uses them as indexes for array lpm_priority
that can contain 8 elements at most. The patch swaps modes and
priorities.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 005125bfd70e ("platform/x86: intel_pmc_core: Handle sub-states generically")
Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
---
 drivers/platform/x86/intel_pmc_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c
index b0e486a6bdfb..667b3df03764 100644
--- a/drivers/platform/x86/intel_pmc_core.c
+++ b/drivers/platform/x86/intel_pmc_core.c
@@ -1469,8 +1469,8 @@ static void pmc_core_get_low_power_modes(struct pmc_dev *pmcdev)
 		int pri0 = GENMASK(3, 0) & priority;
 		int pri1 = (GENMASK(7, 4) & priority) >> 4;
 
-		lpm_priority[pri0] = mode;
-		lpm_priority[pri1] = mode + 1;
+		lpm_priority[mode] = pri0;
+		lpm_priority[mode + 1] = pri1;
 	}
 
 	/*
-- 
2.26.2