Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp2927411rwb; Mon, 15 Aug 2022 14:12:51 -0700 (PDT) X-Google-Smtp-Source: AA6agR4nSV2Zev1gFkWtbzbUuVQaV1T2YbC7XVWM4mbolyZcgqbBBZ8NUpEKrW867QJXh5qnMSru X-Received: by 2002:a17:902:c713:b0:16e:cbe3:29da with SMTP id p19-20020a170902c71300b0016ecbe329damr18436565plp.61.1660597971002; Mon, 15 Aug 2022 14:12:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660597970; cv=none; d=google.com; s=arc-20160816; b=pkOt1FrST/LOrOG+uX40wENgf6siq/Wqya3dSkBUPPfh/hMR4yM9ODFE10ogr6tLyQ 72hMAane3qGZprq4HPjyZLJg2E3R+skLMLIJ0CzFR9GN/Vg1q1ki42jK1umeeSQWpp7h xLpSObXqojaR8hHlE2DcHHQqq6dRivArujm7zWAS6Sj8projZIMhTiRU4CO0ANwBp7L+ IPAxaC0EKMN/WzkvoZze40v1hnatB5746rLC5lkvhWCFk0cp9o2Zgf25vnQCBhL1bDSK hPzeuFIVBJqAPJAfB7YACdLvHgfWzY5OqYUdDLgHt4B+G57c8xMCwvotouV+hYMWgMfj IJBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wdJoLnpsevELzIrrye3oI7yDQbSXeiNn7DcbWcbEjU4=; b=nihVnWAdmIOf4+p/SAnrmH6jJda8hb5RTyNQzVZk+7TvMTf35kJNjd1k65YiLxFk8w F+/HVlrHwTPjtvig3QXgqrJTcc40o4O9va68dmXiIHCkPEMOJVa0Ky9fGBQ05OIrP2V9 6BXQSyEsOLzo52pFOMpRyHG9t9Jee90kRSzMYQIvDvRo3Oc2T7yvAJw2NvDIFTXZrq0s hUOpeawsnUGtIpRHHt6SDDFsuqDJvh6fcydTAo9VhJTdc9sH6fzLfsHV2iKQVKad2ezC vtoY/+mifwF7M6q05eKLSoMpeGD6MzPJ+Zv4P5K6ex1EdG38wAZJqFc0dipd4rkDaA9w 3LaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PAKiQ437; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w3-20020a170902e88300b0017262c8b481si8346324plg.69.2022.08.15.14.12.39; Mon, 15 Aug 2022 14:12:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PAKiQ437; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348176AbiHOUcN (ORCPT + 99 others); Mon, 15 Aug 2022 16:32:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347773AbiHOU0g (ORCPT ); Mon, 15 Aug 2022 16:26:36 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 283269D8EA; Mon, 15 Aug 2022 12:03:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8B8A6B81104; Mon, 15 Aug 2022 19:03:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC9ADC433D6; Mon, 15 Aug 2022 19:03:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660590210; bh=lC1PDtOD4kVcf3eDjo4yBR1rOPmdYM1OQZgn1WPyCNM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PAKiQ437WzYGRrC5iEu9m5/We21gWPEaPUefQO177Sv2RTqfpqnAIBMhPEzmc9BEH QB4AGbHIG3knNgH/yBN7t9g8XfV3MyW0WPTST7XdHW/sUEi9f7QNUQ23NhoJ/fVZaA vOBxCInRmwbcbHL8D8/7HqGdW8UpXSocfE0N5spo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guenter Roeck , "Russell King (Oracle)" , Sasha Levin Subject: [PATCH 5.18 0187/1095] ARM: findbit: fix overflowing offset Date: Mon, 15 Aug 2022 19:53:06 +0200 Message-Id: <20220815180437.378375053@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180429.240518113@linuxfoundation.org> References: <20220815180429.240518113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Russell King (Oracle) [ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] When offset is larger than the size of the bit array, we should not attempt to access the array as we can perform an access beyond the end of the array. Fix this by changing the pre-condition. Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since this will always take the branch when r1 is zero, irrespective of the value of r2. This means we can fix this bug without adding any additional code! Tested-by: Guenter Roeck Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin --- arch/arm/lib/findbit.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S index b5e8b9ae4c7d..7fd3600db8ef 100644 --- a/arch/arm/lib/findbit.S +++ b/arch/arm/lib/findbit.S @@ -40,8 +40,8 @@ ENDPROC(_find_first_zero_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_zero_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -81,8 +81,8 @@ ENDPROC(_find_first_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -115,8 +115,8 @@ ENTRY(_find_first_zero_bit_be) ENDPROC(_find_first_zero_bit_be) ENTRY(_find_next_zero_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering @@ -149,8 +149,8 @@ ENTRY(_find_first_bit_be) ENDPROC(_find_first_bit_be) ENTRY(_find_next_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering -- 2.35.1