lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Oct 2020 14:53:57 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Colin Ian King <colin.king@...onical.com>, Markus Mayer <mmayer@...adcom.com>, Florian Fainelli <f.fainelli@...il.com>, Krzysztof Kozlowski <krzk@...nel.org>, Sasha Levin <sashal@...nel.org> Subject: [PATCH 5.9 587/757] memory: brcmstb_dpfe: fix array index out of bounds From: Markus Mayer <mmayer@...adcom.com> [ Upstream commit f42ae4bbf94c15aa720afb9d176ecbfe140d792e ] We would overrun the error_text array if we hit a TIMEOUT condition, because we were using the error code "ETIMEDOUT" (which is 110) as an array index. We fix the problem by correcting the array index and by providing a function to retrieve error messages rather than accessing the array directly. The function includes a bounds check that prevents the array from being overrun. Link: https://lore.kernel.org/linux-arm-kernel/38d00022-730c-948a-917c-d86382df8cb9@canonical.com/ Link: https://lore.kernel.org/r/20200822205000.15841-1-mmayer@broadcom.com Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE") Reported-by: Colin Ian King <colin.king@...onical.com> Signed-off-by: Markus Mayer <mmayer@...adcom.com> Acked-by: Florian Fainelli <f.fainelli@...il.com> Signed-off-by: Krzysztof Kozlowski <krzk@...nel.org> Signed-off-by: Sasha Levin <sashal@...nel.org> --- drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c index 60e8633b11758..ddff687c79eaa 100644 --- a/drivers/memory/brcmstb_dpfe.c +++ b/drivers/memory/brcmstb_dpfe.c @@ -188,11 +188,6 @@ struct brcmstb_dpfe_priv { struct mutex lock; }; -static const char * const error_text[] = { - "Success", "Header code incorrect", "Unknown command or argument", - "Incorrect checksum", "Malformed command", "Timed out", -}; - /* * Forward declaration of our sysfs attribute functions, so we can declare the * attribute data structures early. @@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = { }, }; +static const char *get_error_text(unsigned int i) +{ + static const char * const error_text[] = { + "Success", "Header code incorrect", + "Unknown command or argument", "Incorrect checksum", + "Malformed command", "Timed out", "Unknown error", + }; + + if (unlikely(i >= ARRAY_SIZE(error_text))) + i = ARRAY_SIZE(error_text) - 1; + + return error_text[i]; +} + static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv) { u32 val; @@ -445,7 +454,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd, } if (resp != 0) { mutex_unlock(&priv->lock); - return -ETIMEDOUT; + return -ffs(DCPU_RET_ERR_TIMEDOUT); } /* Compute checksum over the message */ @@ -691,7 +700,7 @@ static ssize_t generic_show(unsigned int command, u32 response[], ret = __send_command(priv, command, response); if (ret < 0) - return sprintf(buf, "ERROR: %s\n", error_text[-ret]); + return sprintf(buf, "ERROR: %s\n", get_error_text(-ret)); return 0; } -- 2.25.1
Powered by blists - more mailing lists