lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <mhng-dc5227fd-20f9-4cda-aa97-d458d528b05b@palmer-ri-x1c9>
Date:   Wed, 20 Apr 2022 15:38:12 -0700 (PDT)
From:   Palmer Dabbelt <palmer@...osinc.com>
To:     dan.carpenter@...cle.com, Atish Patra <atishp@...osinc.com>
CC:     kbuild@...ts.01.org, lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org
Subject:     Re: drivers/perf/riscv_pmu_sbi.c:464 pmu_sbi_get_ctrinfo() warn: potentially one past the end of array 'pmu_ctr_list[i]'

On Wed, 20 Apr 2022 02:31:33 PDT (-0700), dan.carpenter@...cle.com wrote:
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head:   59250f8a7f3a60a2661b84cbafc1e0eb5d05ec9b
> commit: e9991434596f5373dfd75857b445eb92a9253c56 RISC-V: Add perf platform driver based on SBI PMU extension
> config: riscv-randconfig-m031-20220416 (https://download.01.org/0day-ci/archive/20220416/202204161940.BrRZvzdD-lkp@intel.com/config)
> compiler: riscv32-linux-gcc (GCC) 11.2.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@...el.com>
> Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
>
> smatch warnings:
> drivers/perf/riscv_pmu_sbi.c:464 pmu_sbi_get_ctrinfo() warn: potentially one past the end of array 'pmu_ctr_list[i]'
> drivers/perf/riscv_pmu_sbi.c:464 pmu_sbi_get_ctrinfo() warn: potentially one past the end of array 'pmu_ctr_list[i]'
>
> vim +464 drivers/perf/riscv_pmu_sbi.c
>
> e9991434596f53 Atish Patra 2022-02-18  444  static int pmu_sbi_get_ctrinfo(int nctr)
> e9991434596f53 Atish Patra 2022-02-18  445  {
> e9991434596f53 Atish Patra 2022-02-18  446  	struct sbiret ret;
> e9991434596f53 Atish Patra 2022-02-18  447  	int i, num_hw_ctr = 0, num_fw_ctr = 0;
> e9991434596f53 Atish Patra 2022-02-18  448  	union sbi_pmu_ctr_info cinfo;
> e9991434596f53 Atish Patra 2022-02-18  449
> e9991434596f53 Atish Patra 2022-02-18  450  	pmu_ctr_list = kcalloc(nctr, sizeof(*pmu_ctr_list), GFP_KERNEL);
>                                                                        ^^^^
>
> e9991434596f53 Atish Patra 2022-02-18  451  	if (!pmu_ctr_list)
> e9991434596f53 Atish Patra 2022-02-18  452  		return -ENOMEM;
> e9991434596f53 Atish Patra 2022-02-18  453
> e9991434596f53 Atish Patra 2022-02-18  454  	for (i = 0; i <= nctr; i++) {
>                                                             ^^^^^^^^^
> The <= should be <
>
> e9991434596f53 Atish Patra 2022-02-18  455  		ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_GET_INFO, i, 0, 0, 0, 0, 0);
> e9991434596f53 Atish Patra 2022-02-18  456  		if (ret.error)
> e9991434596f53 Atish Patra 2022-02-18  457  			/* The logical counter ids are not expected to be contiguous */
> e9991434596f53 Atish Patra 2022-02-18  458  			continue;
> e9991434596f53 Atish Patra 2022-02-18  459  		cinfo.value = ret.value;
> e9991434596f53 Atish Patra 2022-02-18  460  		if (cinfo.type == SBI_PMU_CTR_TYPE_FW)
> e9991434596f53 Atish Patra 2022-02-18  461  			num_fw_ctr++;
> e9991434596f53 Atish Patra 2022-02-18  462  		else
> e9991434596f53 Atish Patra 2022-02-18  463  			num_hw_ctr++;
> e9991434596f53 Atish Patra 2022-02-18 @464  		pmu_ctr_list[i].value = cinfo.value;
>                                                         ^^^^^^^^^^^^^^^
> Off by one
>
> e9991434596f53 Atish Patra 2022-02-18  465  	}
> e9991434596f53 Atish Patra 2022-02-18  466
> e9991434596f53 Atish Patra 2022-02-18  467  	pr_info("%d firmware and %d hardware counters\n", num_fw_ctr, num_hw_ctr);
> e9991434596f53 Atish Patra 2022-02-18  468
> e9991434596f53 Atish Patra 2022-02-18  469  	return 0;
> e9991434596f53 Atish Patra 2022-02-18  470  }

I think this should do it

    diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c
    index a1317a483512..50394ef1adef 100644
    --- a/drivers/perf/riscv_pmu_sbi.c
    +++ b/drivers/perf/riscv_pmu_sbi.c
    @@ -457,7 +457,7 @@ static int pmu_sbi_get_ctrinfo(int nctr)
     	if (!pmu_ctr_list)
     		return -ENOMEM;
     
    -	for (i = 0; i <= nctr; i++) {
    +	for (i = 0; i < nctr; i++) {
     		ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_GET_INFO, i, 0, 0, 0, 0, 0);
     		if (ret.error)
     			/* The logical counter ids are not expected to be contiguous */

but I'm not super familiar with the perf code and there's frequently this
pattern of "0 is reserved as a special value" in the RISC-V specs (interrupt
numbers, for example) so I may be wrong here.  IIUC none of that is going on
here, as these are all indirect/non-contiguous, but I'll let Atish take a look.

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ