[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YDeaCk5zoAfgEuF6@atomide.com>
Date: Thu, 25 Feb 2021 14:37:30 +0200
From: Tony Lindgren <tony@...mide.com>
To: Krzysztof Kozlowski <krzk@...nel.org>
Cc: Dan Carpenter <dan.carpenter@...cle.com>,
Colin King <colin.king@...onical.com>,
Roger Quadros <rogerq@...nel.org>, linux-omap@...r.kernel.org,
kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] memory: gpmc: fix out of bounds read and dereference on
gpmc_cs[]
* Krzysztof Kozlowski <krzk@...nel.org> [210224 08:11]:
> On Wed, Feb 24, 2021 at 10:55:52AM +0300, Dan Carpenter wrote:
> > On Tue, Feb 23, 2021 at 07:38:21PM +0000, Colin King wrote:
> > > From: Colin Ian King <colin.king@...onical.com>
> > >
> > > Currently the array gpmc_cs is indexed by cs before it cs is range checked
> > > and the pointer read from this out-of-index read is dereferenced. Fix this
> > > by performing the range check on cs before the read and the following
> > > pointer dereference.
> > >
> > > Addresses-Coverity: ("Negative array index read")
> > > Fixes: 186401937927 ("memory: gpmc: Move omap gpmc code to live under drivers")
> > > Signed-off-by: Colin Ian King <colin.king@...onical.com>
> > > ---
> > > drivers/memory/omap-gpmc.c | 7 +++++--
> > > 1 file changed, 5 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
> > > index cfa730cfd145..f80c2ea39ca4 100644
> > > --- a/drivers/memory/omap-gpmc.c
> > > +++ b/drivers/memory/omap-gpmc.c
> > > @@ -1009,8 +1009,8 @@ EXPORT_SYMBOL(gpmc_cs_request);
> > >
> > > void gpmc_cs_free(int cs)
> > > {
> > > - struct gpmc_cs_data *gpmc = &gpmc_cs[cs];
> > > - struct resource *res = &gpmc->mem;
> >
> > There is no actual dereferencing going on here, it just taking the
> > addresses. But the patch is also harmless and improves readability.
>
> Hm, in the second line indeed the compiler will just calculate the
> offset of "mem" field against the "gpmc_cs+cs" and return it's probable
> address.
>
> To me still the code is a little bit non-obvious or obfuscated - first
> you play with the array[index] and then you check the validity of index.
To me it seems the fixes tag is not ideal.. Seems this issue was there
earlier too before moving the code. In any case:
Reviewed-by: Tony Lindgren <tony@...mide.com>
Powered by blists - more mailing lists