Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3407825rwa; Tue, 23 Aug 2022 04:23:35 -0700 (PDT) X-Google-Smtp-Source: AA6agR4n49iIyXTkLBoCy4lHqkU0DmHNPbEGwMwvnU7Ri1Bp4JF3KOBAukNJ3P7gpctu9T6ckWGG X-Received: by 2002:a63:410:0:b0:42a:d054:ea29 with SMTP id 16-20020a630410000000b0042ad054ea29mr4613976pge.421.1661253815158; Tue, 23 Aug 2022 04:23:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661253815; cv=none; d=google.com; s=arc-20160816; b=E91wIiQQ5qDiA+J/Q5XEOGoL3mCGTcnuBcctHWEdV/LcqKOJCLMe65E+7rdVK0TpRf 0ehwfM/GEYQAdkEe8Sv8xr3E3ZdLvlDX9So3xnDCVx1v/+HdH4v+XUwByalgR+1IpccR rYEHFT1NJIy3YvLyYKw0cydtW6w2DDVSyizrvQTVGV9goWWFP/qLSRE3Ka8FVtTKrAtN x6H64Gj/b5ck40zWcVdJ/3ZyrzgjX0P85tBpEelznfH/2E0q+vR/+ntN0BCugVdrwFNq g3OF+7+3zbHfbpoNzB9WsbqDm+P7ogjpFpAhoiDursOsBpBTJ0ZLy6BFeJGxIPxgMSZV gaUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vYPHVGe2xQ6twOBBMC+ahK7smoaiHwTFR2TBHBVi2rU=; b=hDQd/1cd/RRBcXJhgfmrsaRCOd+hYOPGkxWz9luc5Br7q4NvdOyaO+K9N1teT9TEhZ JivGFGR1V8qZ6wQOzgd1AAkXTcJX0QGnAczdJPFtFrWOCoY1mMi2ARHOUumIjuuWlfYe Itj6sioCRB/m6e+MoYHXyW2gWjF2FLVs5lHlNjaO/gqqKaNIG0/waJ73Fs1mC+v8eEim R51ElF/7iMEASqjDMWOPVW6qvWMcQ7RpPb6UfbV8vVvD7xne6ZiqT5mCau4Lyn8EmE7p DXVOeVy2t5H1m8Uj9eeUiKekHiAfBfWcSuDogGz4eD7wJMHxlZR6SkKq3u2KNZzBUdOF 85Ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uUS76DFm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i10-20020a17090acf8a00b001fa99b4efc7si16247024pju.127.2022.08.23.04.23.23; Tue, 23 Aug 2022 04:23:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uUS76DFm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355402AbiHWKgF (ORCPT + 99 others); Tue, 23 Aug 2022 06:36:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354347AbiHWKVQ (ORCPT ); Tue, 23 Aug 2022 06:21:16 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB10381B16; Tue, 23 Aug 2022 02:02:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 84D016157D; Tue, 23 Aug 2022 09:02:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 87EBEC433C1; Tue, 23 Aug 2022 09:02:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661245354; bh=5F3L1hqSN/7exQ2u/UxDEhO+Ah+rnMqDKqPMrqS7AEE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uUS76DFmvKCheWThEAirjn6ZL9WaXMi4hWQxXyw5zun0/xKXPgctpM9fOP5XkrDaT KGu5RUKNImL1DDtYCfMzSyBW+HrRj48Y8XLVQYFWb93vniPkB1IavFdT9YEipgTciw mpR/PTxCBecYY+5YGDhbpZuNgGJOfDE1XCWjC+3s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guenter Roeck , "Russell King (Oracle)" , Sasha Levin Subject: [PATCH 4.19 053/287] ARM: findbit: fix overflowing offset Date: Tue, 23 Aug 2022 10:23:42 +0200 Message-Id: <20220823080102.024799738@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080100.268827165@linuxfoundation.org> References: <20220823080100.268827165@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Russell King (Oracle) [ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] When offset is larger than the size of the bit array, we should not attempt to access the array as we can perform an access beyond the end of the array. Fix this by changing the pre-condition. Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since this will always take the branch when r1 is zero, irrespective of the value of r2. This means we can fix this bug without adding any additional code! Tested-by: Guenter Roeck Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin --- arch/arm/lib/findbit.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S index 7848780e8834..20fef6c41f6f 100644 --- a/arch/arm/lib/findbit.S +++ b/arch/arm/lib/findbit.S @@ -43,8 +43,8 @@ ENDPROC(_find_first_zero_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_zero_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -84,8 +84,8 @@ ENDPROC(_find_first_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -118,8 +118,8 @@ ENTRY(_find_first_zero_bit_be) ENDPROC(_find_first_zero_bit_be) ENTRY(_find_next_zero_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering @@ -152,8 +152,8 @@ ENTRY(_find_first_bit_be) ENDPROC(_find_first_bit_be) ENTRY(_find_next_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering -- 2.35.1