Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp3167786pxy; Wed, 4 Aug 2021 04:11:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJycB9fDYOWvmF76l4xSbNMB2somOJZsY45ySR/E0eUh+tmhz+DdMD1F23UnW3aKAyEfVjFX X-Received: by 2002:a17:906:3e02:: with SMTP id k2mr24852471eji.479.1628075471244; Wed, 04 Aug 2021 04:11:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628075471; cv=none; d=google.com; s=arc-20160816; b=CbqSgsygtrRwhnIFIiLkmlQsJPUJSofR01UKtpO5kV0yevxYHQ9KxVxS3x1CbqT5Tq afE9KJhvopcnvsV3vdliejCOVE21JzBFYrgmx4/Ak9aqGnT6kcsPx8iBHznSKXDn4JW0 xQokBRbt9Br5uAMiYPRPlrDT8vKrNCcu6hPsRM50utdjcyNQzS9jkBbagiGLzzhbcOKr UVEcJV4FN289q4L1u9S9EZ2muMuAl8HFwC7IjmjNzgaGio1TxpT5H7wdESTGyOIVDDGf DfdjH8L/eJDwdR3AhkKdWJr5CDfpmma4OGdIZ9vFhbSf5hN2fVYoMpde2PtX3qZUHGsV DZ9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=tBC4s4PfMF3UN4BVkVvLyxlDTB0LXOpoaHs34I8TYLU=; b=MErMzNZ6VzxV5q7PCJd6ho7US1yQ5z8uCUE9uoxRsDyThZgh3J+q17hBgYpU+4fBlB OGluZJO72mFbGDyBtFU8YZA81+U+njWqqOJuMXVHz92i1hqq0fHIYGXV7AJhewCdDams c3FlYOemCj2Nqno/WmvCyzodDXVTbbYtYCeYXBkkBIv4TqxrQwJQwOfjPdiKh4CZEkFA 1f7kJFe0lCFUBdp0UVehsPCuUEMjpHEXyrJZtMaNJgEYWL6TS9aysEwE57dB1BmxGfbX Lvcr3OxdTyk1XQnkVfSXcjPXhWzDjopRmlNmXIkdeD3rGCD1D30M8IOZD/4IRO8bl9PS NmYg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ss12si1727741ejb.133.2021.08.04.04.10.47; Wed, 04 Aug 2021 04:11:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236953AbhHDKtk (ORCPT + 99 others); Wed, 4 Aug 2021 06:49:40 -0400 Received: from mail.ispras.ru ([83.149.199.84]:56590 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236736AbhHDKtI (ORCPT ); Wed, 4 Aug 2021 06:49:08 -0400 Received: from hellwig.intra.ispras.ru (unknown [10.10.2.182]) by mail.ispras.ru (Postfix) with ESMTPSA id 21450405A19B; Wed, 4 Aug 2021 10:48:54 +0000 (UTC) Subject: Re: [PATCH] platform/x86: intel_pmc_core: Prevent possibile overflow To: "David E. Box" , irenic.rajneesh@gmail.com, gayatri.kammela@intel.com, hdegoede@redhat.com, mgross@linux.intel.com, andy.shevchenko@gmail.com Cc: platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org References: <20210804003039.359138-1-david.e.box@linux.intel.com> From: Evgeny Novikov Message-ID: <159dec07-9f05-3a92-8b7d-3d2f27448f70@ispras.ru> Date: Wed, 4 Aug 2021 13:48:53 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <20210804003039.359138-1-david.e.box@linux.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, Your patch fixes the out of bound issue, but I have another concern regarding possible incomplete initialization of first 8 elements of the lpm_priority array that is declared on the stack and is not initialized, say, with zeroes. Yet again due to some invalid values coming from the register, it is not guaranteed that something meaningful will be assigned for all first 8 elements of lpm_priority in the first cycle in pmc_core_get_low_power_modes(). In the second cycle this function accesses all these elements from lpm_priority. Though there is test "!(BIT(mode) & lpm_en)", it can pass accidentally, thus some unexpected values can be stored to "pmcdev->lpm_en_modes[i++]" and exposed later. Best regards, Evgeny Novikov On 04.08.2021 03:30, David E. Box wrote: > Low Power Mode (LPM) priority is encoded in 4 bits. Yet, this value is used > as an index to an array whose element size was less than 16, leading to the > possibility of overflow should we read a larger than expected priority. Set > the array size to 16 to prevent this. > > Reported-by: Evgeny Novikov > Signed-off-by: David E. Box > --- > drivers/platform/x86/intel_pmc_core.c | 2 +- > drivers/platform/x86/intel_pmc_core.h | 1 + > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c > index b0e486a6bdfb..2a761fe98277 100644 > --- a/drivers/platform/x86/intel_pmc_core.c > +++ b/drivers/platform/x86/intel_pmc_core.c > @@ -1451,7 +1451,7 @@ DEFINE_SHOW_ATTRIBUTE(pmc_core_pkgc); > > static void pmc_core_get_low_power_modes(struct pmc_dev *pmcdev) > { > - u8 lpm_priority[LPM_MAX_NUM_MODES]; > + u8 lpm_priority[LPM_MAX_PRI]; > u32 lpm_en; > int mode, i, p; > > diff --git a/drivers/platform/x86/intel_pmc_core.h b/drivers/platform/x86/intel_pmc_core.h > index e8dae9c6c45f..b98c2b44c938 100644 > --- a/drivers/platform/x86/intel_pmc_core.h > +++ b/drivers/platform/x86/intel_pmc_core.h > @@ -190,6 +190,7 @@ enum ppfear_regs { > #define LPM_MAX_NUM_MODES 8 > #define GET_X2_COUNTER(v) ((v) >> 1) > #define LPM_STS_LATCH_MODE BIT(31) > +#define LPM_MAX_PRI 16 /* size of 4 bits */ > > #define TGL_PMC_SLP_S0_RES_COUNTER_STEP 0x7A > #define TGL_PMC_LTR_THC0 0x1C04