Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp881979pxb;
        Tue, 14 Sep 2021 10:41:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJypcRVuAtb4BbbY/sr49xyHwUvUh8SF2NImW08L51yIlTnEpsU1qLbRKLtbvK7yFttnk+oF
X-Received: by 2002:a05:6512:ac3:: with SMTP id n3mr14461030lfu.93.1631641288844;
        Tue, 14 Sep 2021 10:41:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631641288; cv=none;
        d=google.com; s=arc-20160816;
        b=GuEj6ADLTademXMR9qFRZ4bx8/B3rc84fPV+TMhTSEj4U/Ezv+J9SNFDvycWWdWsMK
         DDs/YICDKDkNJ99t4RNNwMeASz0t/gWTiqWRlj8OVzjEpxTJDuufCJVp1dpHHdPSGijT
         uS36URLPI5abB+KXqHiy88u6457s2kOoB5Aa8C2WIZ9UCa2w2SpSCGG1eA4MAQcGpsXl
         XuktNhrdbgec2sCIzcWqfimfWWV2dckqaNHO5upAwy5JU1XFklr5ZtyiRBCrE9RuOCTn
         4Oy0FwqvNIa3kThsHafnmBBtJyPJxftiXM6+Em/x/e3dt1dLCz6ShfxJ/HC4By0CDc8N
         9iaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=+rf6kBs+/9bLcwa9s9woWwTkh/8ZWrPM4yhJ14r6BwY=;
        b=S280EMulzIMARELJPSU/Y3Q1iQ7jbExqlS7wBVemiJbhmeZyd0nQyMESk5LbEOw6sT
         5oasvyMlNF3WXyS/vM4rF/a5D5BtuEoEMFI1tdC7cHYTm1TDBFzy8C9BZhx/CmQvKk9t
         C4jUTjSsx9AGt5UvLs4sFyB+4XoySHFETw9BoFNvLpBO9wZU+XCFRbYhkXX3P7q1sNQn
         /SJ+L+H/jkdW/afpBTgF0isZ9eKPuOi6QWvVO6OQR84TKSasjdZftSz8F3RlTQ76IN1f
         CdVojkLKhuPqtvTLlAu+qYICy+RXzP3+DgtXVuaqJZBhe92GQOp9NIGYafOrUY0SgI4s
         ycig==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m8si10902570lfp.599.2021.09.14.10.41.00;
        Tue, 14 Sep 2021 10:41:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230035AbhINRkj (ORCPT <rfc822;lkml.email@gmail.com> + 99 others);
        Tue, 14 Sep 2021 13:40:39 -0400
Received: from relay5-d.mail.gandi.net ([217.70.183.197]:57119 "EHLO
        relay5-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229706AbhINRki (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Sep 2021 13:40:38 -0400
Received: (Authenticated sender: miquel.raynal@bootlin.com)
        by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id BDC731C0008;
        Tue, 14 Sep 2021 17:39:16 +0000 (UTC)
From:   Miquel Raynal <miquel.raynal@bootlin.com>
To:     Evgeny Novikov <novikov@ispras.ru>,
        Miquel Raynal <miquel.raynal@bootlin.com>
Cc:     Richard Weinberger <richard@nod.at>,
        Vignesh Raghavendra <vigneshr@ti.com>,
        Ramuthevar Vadivel Murugan 
        <vadivel.muruganx.ramuthevar@linux.intel.com>,
        Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
        Kirill Shilimanov <kirill.shilimanov@huawei.com>,
        Anton Vasilyev <vasilyev@ispras.ru>,
        linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org
Subject: Re: [PATCH] mtd: rawnand: intel: Fix potential buffer overflow in probe
Date:   Tue, 14 Sep 2021 19:39:16 +0200
Message-Id: <20210914173916.301250-1-miquel.raynal@bootlin.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20210903082653.16441-1-novikov@ispras.ru>
References: 
MIME-Version: 1.0
X-linux-mtd-patch-notification: thanks
X-linux-mtd-patch-commit: b'46a0dc10fb32bec3e765e51bf71fbc070dc77ca3'
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 2021-09-03 at 08:26:53 UTC, Evgeny Novikov wrote:
> ebu_nand_probe() read the value of u32 variable "cs" from the device
> firmware description and used it as the index for array ebu_host->cs
> that can contain MAX_CS (2) elements at most. That could result in
> a buffer overflow and various bad consequences later.
> 
> Fix the potential buffer overflow by restricting values of "cs" with
> MAX_CS in probe.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Fixes: 0b1039f016e8 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC")
> Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
> Co-developed-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
> Signed-off-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
> Co-developed-by: Anton Vasilyev <vasilyev@ispras.ru>
> Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>

Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git nand/next, thanks.

Miquel