lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 12 Aug 2020 19:49:37 +0800
From:   kernel test robot <lkp@...el.com>
To:     Zong-Zhe Yang <kevin_yang@...ltek.com>
Cc:     kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org,
        Kalle Valo <kvalo@...eaurora.org>,
        Yan-Hsuan Chuang <yhchuang@...ltek.com>
Subject: drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db()
 error: buffer overflow 8 <= 8 (assuming for loop doesn't break)

Hi Zong-Zhe,

First bad commit (maybe != root cause):

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   fb893de323e2d39f7a1f6df425703a2edbdf56ea
commit: ba0fbe236fb8a7b992e82d6eafb03a600f5eba43 rtw88: extract: make 8822c an individual kernel module
date:   3 months ago
config: parisc-randconfig-m031-20200811 (attached as .config)
compiler: hppa-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

smatch warnings:
drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db() error: buffer overflow 'db_invert_table[i]' 8 <= 8 (assuming for loop doesn't break)

vim +641 drivers/net/wireless/realtek/rtw88/phy.c

e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  599  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  600  static u8 rtw_phy_linear_2_db(u64 linear)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  601  {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  602  	u8 i;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  603  	u8 j;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  604  	u32 dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  605  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  606  	if (linear >= db_invert_table[11][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  607  		return 96; /* maximum 96 dB */
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  608  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  609  	for (i = 0; i < 12; i++) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  610  		if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  611  			break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  612  		else if (i > 2 && linear <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  613  			break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  614  	}
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  615  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  616  	for (j = 0; j < 8; j++) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  617  		if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  618  			break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  619  		else if (i > 2 && linear <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  620  			break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  621  	}
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  622  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  623  	if (j == 0 && i == 0)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  624  		goto end;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  625  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  626  	if (j == 0) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  627  		if (i != 3) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  628  			if (db_invert_table[i][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  629  			    linear - db_invert_table[i - 1][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  630  				i = i - 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  631  				j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  632  			}
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  633  		} else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  634  			if (db_invert_table[3][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  635  			    linear - db_invert_table[2][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  636  				i = 2;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  637  				j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  638  			}
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  639  		}
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  640  	} else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 @641  		if (db_invert_table[i][j] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  642  		    linear - db_invert_table[i][j - 1]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  643  			j = j - 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  644  		}
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  645  	}
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  646  end:
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  647  	dB = (i << 3) + j + 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  648  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  649  	return dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  650  }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  651  

:::::: The code at line 641 was first introduced by commit
:::::: e3037485c68ec1a299ff41160d8fedbd4abc29b9 rtw88: new Realtek 802.11ac driver

:::::: TO: Yan-Hsuan Chuang <yhchuang@...ltek.com>
:::::: CC: Kalle Valo <kvalo@...eaurora.org>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (30567 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ