| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 May 2023 14:48:49 -0500
From: Bjorn Helgaas <helgaas@...nel.org>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Cc: Krzysztof Wilczyński <kw@...ux.com>,
Rich Felker <dalias@...c.org>, linux-sh@...r.kernel.org,
linux-pci@...r.kernel.org,
Dominik Brodowski <linux@...inikbrodowski.net>,
linux-kernel@...r.kernel.org,
Mickaël Salaün <mic@...ikod.net>,
Andrew Lunn <andrew@...n.ch>, sparclinux@...r.kernel.org,
Stefano Stabellini <sstabellini@...nel.org>,
Yoshinori Sato <ysato@...rs.sourceforge.jp>,
Gregory Clement <gregory.clement@...tlin.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@...el.com>,
Russell King <linux@...linux.org.uk>,
linux-acpi@...r.kernel.org, Miguel Ojeda <ojeda@...nel.org>,
xen-devel@...ts.xenproject.org, Matt Turner <mattst88@...il.com>,
Anatolij Gustschin <agust@...x.de>,
Sebastian Hesselbarth <sebastian.hesselbarth@...il.com>,
Arnd Bergmann <arnd@...db.de>,
Niklas Schnelle <schnelle@...ux.ibm.com>,
Richard Henderson <richard.henderson@...aro.org>,
Nicholas Piggin <npiggin@...il.com>,
Ivan Kokshaysky <ink@...assic.park.msu.ru>,
John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Mika Westerberg <mika.westerberg@...ux.intel.com>,
linux-arm-kernel@...ts.infradead.org,
Juergen Gross <jgross@...e.com>,
Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
Philippe Mathieu-Daudé <philmd@...aro.org>,
linuxppc-dev@...ts.ozlabs.org,
Randy Dunlap <rdunlap@...radead.org>,
linux-mips@...r.kernel.org,
Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
linux-alpha@...r.kernel.org,
Pali Rohár <pali@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
"Maciej W. Rozycki" <macro@...am.me.uk>
Subject: Re: [PATCH v8 0/7] Add pci_dev_for_each_resource() helper and update
users
On Fri, May 12, 2023 at 01:56:29PM +0300, Andy Shevchenko wrote:
> On Tue, May 09, 2023 at 01:21:22PM -0500, Bjorn Helgaas wrote:
> > On Tue, Apr 04, 2023 at 11:11:01AM -0500, Bjorn Helgaas wrote:
> > > On Thu, Mar 30, 2023 at 07:24:27PM +0300, Andy Shevchenko wrote:
> > > > Provide two new helper macros to iterate over PCI device resources and
> > > > convert users.
> >
> > > Applied 2-7 to pci/resource for v6.4, thanks, I really like this!
> >
> > This is 09cc90063240 ("PCI: Introduce pci_dev_for_each_resource()")
> > upstream now.
> >
> > Coverity complains about each use,
>
> It needs more clarification here. Use of reduced variant of the
> macro or all of them? If the former one, then I can speculate that
> Coverity (famous for false positives) simply doesn't understand `for
> (type var; var ...)` code.
True, Coverity finds false positives. It flagged every use in
drivers/pci and drivers/pnp. It didn't mention the arch/alpha, arm,
mips, powerpc, sh, or sparc uses, but I think it just didn't look at
those.
It flagged both:
pbus_size_io pci_dev_for_each_resource(dev, r)
pbus_size_mem pci_dev_for_each_resource(dev, r, i)
Here's a spreadsheet with a few more details (unfortunately I don't
know how to make it dump the actual line numbers or analysis like I
pasted below, so "pci_dev_for_each_resource" doesn't appear). These
are mostly in the "Drivers-PCI" component.
https://docs.google.com/spreadsheets/d/1ohOJwxqXXoDUA0gwopgk-z-6ArLvhN7AZn4mIlDkHhQ/edit?usp=sharing
These particular reports are in the "High Impact Outstanding" tab.
> > sample below from
> > drivers/pci/vgaarb.c. I didn't investigate at all, so it might be a
> > false positive; just FYI.
> >
> > 1. Condition screen_info.capabilities & (2U /* 1 << 1 */), taking true branch.
> > 556 if (screen_info.capabilities & VIDEO_CAPABILITY_64BIT_BASE)
> > 557 base |= (u64)screen_info.ext_lfb_base << 32;
> > 558
> > 559 limit = base + size;
> > 560
> > 561 /* Does firmware framebuffer belong to us? */
> > 2. Condition __b < PCI_NUM_RESOURCES, taking true branch.
> > 3. Condition (r = &pdev->resource[__b]) , (__b < PCI_NUM_RESOURCES), taking true branch.
> > 6. Condition __b < PCI_NUM_RESOURCES, taking true branch.
> > 7. cond_at_most: Checking __b < PCI_NUM_RESOURCES implies that __b may be up to 16 on the true branch.
> > 8. Condition (r = &pdev->resource[__b]) , (__b < PCI_NUM_RESOURCES), taking true branch.
> > 11. incr: Incrementing __b. The value of __b may now be up to 17.
> > 12. alias: Assigning: r = &pdev->resource[__b]. r may now point to as high as element 17 of pdev->resource (which consists of 17 64-byte elements).
> > 13. Condition __b < PCI_NUM_RESOURCES, taking true branch.
> > 14. Condition (r = &pdev->resource[__b]) , (__b < PCI_NUM_RESOURCES), taking true branch.
> > 562 pci_dev_for_each_resource(pdev, r) {
> > 4. Condition resource_type(r) != 512, taking true branch.
> > 9. Condition resource_type(r) != 512, taking true branch.
> >
> > CID 1529911 (#1 of 1): Out-of-bounds read (OVERRUN)
> > 15. overrun-local: Overrunning array of 1088 bytes at byte offset 1088 by dereferencing pointer r. [show details]
> > 563 if (resource_type(r) != IORESOURCE_MEM)
> > 5. Continuing loop.
> > 10. Continuing loop.
> > 564 continue;
>
> --
> With Best Regards,
> Andy Shevchenko
>
>
Powered by blists - more mailing lists