| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Jul 2022 12:30:32 +0200
From: Christophe JAILLET <christophe.jaillet@...adoo.fr>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: alsa-devel@...a-project.org,
Banajit Goswami <bgoswami@...eaurora.org>,
Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
Takashi Iwai <tiwai@...e.com>,
Liam Girdwood <lgirdwood@...il.com>,
Mark Brown <broonie@...nel.org>,
Srinivas Kandagatla <srinivas.kandagatla@...aro.org>,
Banajit Goswami <bgoswami@...cinc.com>
Subject: Re: [PATCH] ASoC: qcom: q6dsp: Fix an off-by-one in
q6adm_alloc_copp()
Le 21/07/2022 à 12:00, Dan Carpenter a écrit :
> On Thu, Jul 21, 2022 at 11:02:22AM +0200, Christophe JAILLET wrote:
>> find_first_zero_bit() returns MAX_COPPS_PER_PORT at max here.
>> So 'idx' should be tested with ">=" or the test can't match.
>>
>> Fixes: 7b20b2be51e1 ("ASoC: qdsp6: q6adm: Add q6adm driver")
>> Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>
>> ---
>> sound/soc/qcom/qdsp6/q6adm.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/sound/soc/qcom/qdsp6/q6adm.c b/sound/soc/qcom/qdsp6/q6adm.c
>> index 01f383888b62..1530e98df165 100644
>> --- a/sound/soc/qcom/qdsp6/q6adm.c
>> +++ b/sound/soc/qcom/qdsp6/q6adm.c
>> @@ -217,7 +217,7 @@ static struct q6copp *q6adm_alloc_copp(struct q6adm *adm, int port_idx)
>> idx = find_first_zero_bit(&adm->copp_bitmap[port_idx],
>> MAX_COPPS_PER_PORT);
>>
>> - if (idx > MAX_COPPS_PER_PORT)
>> + if (idx >= MAX_COPPS_PER_PORT)
>> return ERR_PTR(-EBUSY);
>
> Harshit asked me to write a Smatch check to prevent this bug in the
> future. I got his email before I got your patch. :P Attached.
Well, well, well...
Easy to say afterwards. You got 58 mins to write it. :).
>
> sound/soc/qcom/qdsp6/q6adm.c:220 q6adm_alloc_copp() warn: impossible find_next_bit condition
>
> I'll probably try to make this check more generic, but even the simple
> find_first_zero_bit() version will probably find bugs in the future and
> it was pretty simple to write.
You could add find_last_bit(), find_next_zero_bit_le() and
find_next_bit_le().
>
> regards,
> dan carpenter
>
>
A reduced version of mine was:
@@
expression e1, e2;
statement S;
@@
(
* e1 = find_first_bit(...);
|
* e1 = find_last_bit(...);
|
[... snip ...]
)
...
if (e1 > e2)
S
(and it takes only a few seconds to scan the whole kernel :) )
Powered by blists - more mailing lists