| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1586851826-16596-1-git-send-email-peng.fan@nxp.com>
Date: Tue, 14 Apr 2020 16:10:26 +0800
From: peng.fan@....com
To: shawnguo@...nel.org, s.hauer@...gutronix.de,
jassisinghbrar@...il.com, o.rempel@...gutronix.de,
leonard.crestez@....com
Cc: kernel@...gutronix.de, festevam@...il.com, linux-imx@....com,
Anson.Huang@....com, aisheng.dong@....com,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
Peng Fan <peng.fan@....com>
Subject: [PATCH] mailbox: imx-mailbox: fix scu msg header size check
From: Peng Fan <peng.fan@....com>
The i.MX8 SCU message header size is the number of "u32" elements,
not "u8", so fix the check.
Reported-by: coverity-bot <keescook+coverity-bot@...omium.org>
Addresses-Coverity-ID: 1461658 ("Memory - corruptions")
Signed-off-by: Peng Fan <peng.fan@....com>
---
V2:
I not include the fixes tag, since this patch still in next tree.
drivers/mailbox/imx-mailbox.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c
index 7906624a731c..c2398cb63ea0 100644
--- a/drivers/mailbox/imx-mailbox.c
+++ b/drivers/mailbox/imx-mailbox.c
@@ -154,12 +154,12 @@ static int imx_mu_scu_tx(struct imx_mu_priv *priv,
switch (cp->type) {
case IMX_MU_TYPE_TX:
- if (msg->hdr.size > sizeof(*msg)) {
+ if (msg->hdr.size > (sizeof(*msg) / 4)) {
/*
* The real message size can be different to
* struct imx_sc_rpc_msg_max size
*/
- dev_err(priv->dev, "Exceed max msg size (%zu) on TX, got: %i\n", sizeof(*msg), msg->hdr.size);
+ dev_err(priv->dev, "Exceed max msg size (%zu) on TX, got: %i\n", sizeof(*msg) / 4, msg->hdr.size);
return -EINVAL;
}
@@ -198,9 +198,9 @@ static int imx_mu_scu_rx(struct imx_mu_priv *priv,
imx_mu_xcr_rmw(priv, 0, IMX_MU_xCR_RIEn(0));
*data++ = imx_mu_read(priv, priv->dcfg->xRR[0]);
- if (msg.hdr.size > sizeof(msg)) {
+ if (msg.hdr.size > (sizeof(msg) / 4)) {
dev_err(priv->dev, "Exceed max msg size (%zu) on RX, got: %i\n",
- sizeof(msg), msg.hdr.size);
+ sizeof(msg) / 4, msg.hdr.size);
return -EINVAL;
}
--
2.16.4
Powered by blists - more mailing lists