Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp5513154rwb;
        Mon, 14 Nov 2022 05:53:54 -0800 (PST)
X-Google-Smtp-Source: AA0mqf58T9+mhlYXr7S+v61Phd2NNmVXKbCs0VkFYhlBEFei0znprR7exlyGQoAswn8pZBDVCbr6
X-Received: by 2002:a05:6402:378c:b0:463:ab06:f338 with SMTP id et12-20020a056402378c00b00463ab06f338mr11138773edb.371.1668434033901;
        Mon, 14 Nov 2022 05:53:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668434033; cv=none;
        d=google.com; s=arc-20160816;
        b=0kYdZ0kX7VI7n0I9sHh48gW/oeLgoR8LKhOxXG97LA7aTM1q+AOPfHU+1QYPaau9/W
         GAsMyHiMq4PaN89iglYCTJy5Nqw+jQvDTx436x6KEqzwrhWrp3fIgn6R65xt/8DnCb9h
         yEIyMT09AzgNtyqW2ydyPscUjj5KntpLMiAOT0In5lC6SeQhFM0EuI+mkc4jTgi3RbD9
         UxGlgxWPIVA0et/njdEH+oY7IpAn84JkzgmTkyYkcLWw3+Z/SOO81YyRRXhCpKLL1gWp
         n7tJA3PmswRQ9f38+vmG0OkYhRoofgE6k1Gb1R0/uWnIUsevlsdDF6VOXwYjgy1ZA3Gv
         lpLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :content-language:references:cc:to:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=hbffMJzz+D/Of/1FLXDm6mYFbbw4YsWQLicJfJxuiDk=;
        b=nlLnEpzUoOXSMmST65RgTnglPU3E3Ay5eBP1wcYML84qRpDpFNg65miVVQ7phco7lX
         o2mM6WO3A10gf/sz4kaDjBuZlb3Pyc4B/xfVlbi25ZnxgXcbEf7nG6It6bkg9eM+GNfu
         0RymWzdPmS03rsc9Gve3xiVLEeVuzrNJ0NbGiT3pq3xR+tZIaN6pIJbOAx8Rq/ZXDBcw
         QhYjoziYfJbXje8gbQfOFWmISPgvePlDR91M/o87xAnNzQlt2VQgVVaKvOvPX2Ga+Wfp
         MLigU/WiIGWzh9P3S7U/+sMNKOWxLnLcR6xJYRmLaFj6YWf+HrF1EZbZ9gqMWznF8aEY
         mBpw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@foss.st.com header.s=selector1 header.b=LkFnIMTn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foss.st.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id m15-20020a056402430f00b0046777d0ad16si7604575edc.394.2022.11.14.05.53.32;
        Mon, 14 Nov 2022 05:53:53 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@foss.st.com header.s=selector1 header.b=LkFnIMTn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foss.st.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236997AbiKNNNS (ORCPT <rfc822;xiejw.io@gmail.com> + 87 others);
        Mon, 14 Nov 2022 08:13:18 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40238 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237956AbiKNNM7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Nov 2022 08:12:59 -0500
Received: from mx07-00178001.pphosted.com (mx08-00178001.pphosted.com [91.207.212.93])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1234028E3B;
        Mon, 14 Nov 2022 05:12:54 -0800 (PST)
Received: from pps.filterd (m0046661.ppops.net [127.0.0.1])
        by mx07-00178001.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2AE9XhTu007380;
        Mon, 14 Nov 2022 14:12:23 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foss.st.com; h=message-id : date :
 mime-version : subject : to : cc : references : from : in-reply-to :
 content-type : content-transfer-encoding; s=selector1;
 bh=hbffMJzz+D/Of/1FLXDm6mYFbbw4YsWQLicJfJxuiDk=;
 b=LkFnIMTnOo8zdx7Th17lovNc7GntRC53jHryNYtyefqdEfrCrj5KnKoY6hGRhT7nkOQJ
 4/CXx/kC+d8MbNEL7jQJVf6+BirkayjJCqr/8YR1ZsS9WwlorX5v2Sru+k+KUCEZ3NMs
 Yh9sSFeQqDt8aZO+07LjvgNg3SDaNg5rbY/gXay0Oj4vGgH123n+81lnXfwPj7SFPxvm
 tHHCZ0HJtDfUZzI4pBqeos9HGKnx6c3/0O1iIjd3AdWDVRoTr+2vowt73tEWAn34/dy6
 /O1BlwRm+b9shrIQ5jElHiK+S0pJe6hV5HCOFTfa611ji3cVP1gexGujYPcWKEFXT/Eg fQ== 
Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35])
        by mx07-00178001.pphosted.com (PPS) with ESMTPS id 3ktq2yfgdb-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 14 Nov 2022 14:12:23 +0100
Received: from euls16034.sgp.st.com (euls16034.sgp.st.com [10.75.44.20])
        by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id 207EE10002A;
        Mon, 14 Nov 2022 14:12:16 +0100 (CET)
Received: from Webmail-eu.st.com (shfdag1node1.st.com [10.75.129.69])
        by euls16034.sgp.st.com (STMicroelectronics) with ESMTP id 4CB4622A6EF;
        Mon, 14 Nov 2022 14:12:16 +0100 (CET)
Received: from [10.129.167.233] (10.129.167.233) by SHFDAG1NODE1.st.com
 (10.75.129.69) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.32; Mon, 14 Nov
 2022 14:12:15 +0100
Message-ID: <ad2009b0-01be-76d9-ba02-e38a9ba87894@foss.st.com>
Date:   Mon, 14 Nov 2022 14:12:15 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Subject: Re: Coverity: vgxy61_tx_from_ep(): Memory - corruptions
To:     coverity-bot <keescook@chromium.org>
CC:     <linux-kernel@vger.kernel.org>,
        Sakari Ailus <sakari.ailus@linux.intel.com>,
        Jean-Michel Hautbois <jeanmichel.hautbois@ideasonboard.com>,
        Shawn Tu <shawnx.tu@intel.com>, <linux-media@vger.kernel.org>,
        Sylvain Petinot <sylvain.petinot@foss.st.com>,
        Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>,
        Hans Verkuil <hverkuil@xs4all.nl>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
        <linux-next@vger.kernel.org>, <linux-hardening@vger.kernel.org>
References: <202211100827.8A08F58A@keescook>
Content-Language: en-US
From:   Benjamin MUGNIER <benjamin.mugnier@foss.st.com>
In-Reply-To: <202211100827.8A08F58A@keescook>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.129.167.233]
X-ClientProxiedBy: EQNCAS1NODE4.st.com (10.75.129.82) To SHFDAG1NODE1.st.com
 (10.75.129.69)
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1
 definitions=2022-11-14_12,2022-11-11_01,2022-06-22_01
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

Thank you for your report.

On 11/10/22 17:27, coverity-bot wrote:
> Hello!
> 
> This is an experimental semi-automated report about issues detected by
> Coverity from a scan of next-20221110 as part of the linux-next scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
> 
> You're getting this email because you were associated with the identified
> lines of code (noted below) that were touched by commits:
> 
>   Thu Oct 27 14:37:38 2022 +0300
>     153e4ad44d60 ("media: i2c: Add driver for ST VGXY61 camera sensor")
> 
> Coverity reported the following:
> 
> *** CID 1527258:  Memory - corruptions  (OVERRUN)
> drivers/media/i2c/st-vgxy61.c:1528 in vgxy61_tx_from_ep()
> 1522     	 * valid for hardware stuff.
> 1523     	 */
> 1524     	for (p = 0; p < VGXY61_NB_POLARITIES; p++) {
> 1525     		if (phy2log[p] != ~0)
> 1526     			continue;
> 1527     		phy2log[p] = l;
> vvv     CID 1527258:  Memory - corruptions  (OVERRUN)
> vvv     Overrunning array "log2phy" of 5 4-byte elements at element index 5 (byte offset 23) using index "l" (which evaluates to 5).
> 1528     		log2phy[l] = p;
> 1529     		l++;
> 1530     	}
> 1531     	for (l = 0; l < l_nb + 1; l++)
> 1532     		polarities[l] = ep.bus.mipi_csi2.lane_polarities[l];
> 1533
> 
> If this is a false positive, please let us know so we can mark it as
> such, or teach the Coverity rules to be smarter. If not, please make
> sure fixes get into linux-next. :) For patches fixing this, please
> include these lines (but double-check the "Fixes" first):
> 
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1527258 ("Memory - corruptions")
> Fixes: 153e4ad44d60 ("media: i2c: Add driver for ST VGXY61 camera sensor")
> 
> Note that l starts at 1, 2, or 4, so line 1529 could push it to 5, which
> is out of bounds, etc...

This 'for' loop is tied with the previous one.
The first loop fills log2phy with provided data, and the second one
fills slots that were not provided with hardware valid data. You can see
in the second loop:
  if (phy2log[p] != ~0)
    continue;
which prevents this loop from filling slots that were already filled,
and at the same time prevents 'l' to be incremented when this is the case.
As 'l' was incremented for each provided data by the first loop, and
incremented for each not provided data by the second loop. At the end of
the second loop l == VGXY61_NB_POLARITIES == 5 (because of the last
'l++'), but will never be used as an index for 'log2phy' because the
loop will end right after.


So if I'm not mistaken, and while hard to catch by tools this could be
understood as a false positive.

I could guard it with to make the checker happy with:
  if (p != VGXY61_NB_POLARITIES - 1) l++;
and it would be exactly the same, but I find this kind of unnecessary.


Any thoughts?

Thank you.

> 
> Thanks for your attention!
> 

-- 
Regards,

Benjamin