[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210323132850.GB1463@shell.armlinux.org.uk>
Date: Tue, 23 Mar 2021 13:28:50 +0000
From: Russell King - ARM Linux admin <linux@...linux.org.uk>
To: Arnd Bergmann <arnd@...nel.org>
Cc: Arnd Bergmann <arnd@...db.de>,
Kyungmin Park <kyungmin.park@...sung.com>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ARM: dma-mapping: fix out of bounds access in CMA
On Tue, Mar 23, 2021 at 02:14:13PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> Dereferencing a zero-length array is always a bug, and we get a warning
> with 'make W=1' here:
>
> arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup':
> arch/arm/mm/dma-mapping.c:395:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
> 395 | dma_mmu_remap[dma_mmu_remap_num].base = base;
> | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap'
> 389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata;
> | ^~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:396:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
>
> Add a runtime check to prevent this from happening, while also
> avoiding the compile-time warning.
>
> Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> arch/arm/mm/dma-mapping.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index c4b8df2ad328..af29344fb150 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata;
>
> void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
> {
> + if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) {
> + WARN_ONCE(1, "number of CMA areas\n");
> + return;
> + }
> +
What if dma_mmu_remap_num were negative - that condition is not checked
and will also result in an overflow of the array. If we're being fussy
enough to bounds check, we ought to do it properly.
So, I think a better solution would be to make dma_mmu_remap_num an
unsigned int, and then to use:
if (dma_mmu_remap_num >= ARRAY_SIZE(dma_mmu_remap)) {
...
}
which is really the condition we're after here.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!
Powered by blists - more mailing lists