lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20231116140144.work.027-kees@kernel.org>
Date:   Thu, 16 Nov 2023 06:01:47 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Guenter Roeck <linux@...ck-us.net>
Cc:     Kees Cook <keescook@...omium.org>, Rob Herring <robh@...nel.org>,
        Jean Delvare <jdelvare@...e.com>, linux-hwmon@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: [PATCH] hwmon: Explicitly initialize nct6775_sio_names indexes

Changing the "kinds" enum start value to be 1-indexed instead of
0-indexed caused look-ups in nct6775_sio_namesp[] to be misaligned or
off the end. Coverity reported:

*** CID 1571052:  Memory - illegal accesses  (OVERRUN)
drivers/hwmon/nct6775-platform.c:1075 in nct6775_find()
1069                sio_data->kind == nct6793 || sio_data->kind == nct6795 ||
1070                sio_data->kind == nct6796 || sio_data->kind == nct6797 ||
1071                sio_data->kind == nct6798 || sio_data->kind == nct6799)
1072                    nct6791_enable_io_mapping(sio_data);
1073
1074            sio_data->sio_exit(sio_data);
vvv     CID 1571052:  Memory - illegal accesses  (OVERRUN)
vvv     Overrunning array "nct6775_sio_names" of 13 8-byte elements at element index 13 (byte offset 111) using index "sio_data->kind" (which evaluates to 13).
1075            pr_info("Found %s or compatible chip at %#x:%#x\n",
1076                    nct6775_sio_names[sio_data->kind], sioaddr, addr);
1077
1078            return addr;
1079     }
1080

Initialize the string list with explicit indexes.

Cc: Guenter Roeck <linux@...ck-us.net>
Cc: Rob Herring <robh@...nel.org>
Cc: Jean Delvare <jdelvare@...e.com>
Cc: linux-hwmon@...r.kernel.org
Fixes: 0a7093e69c1e ("hwmon: nct6775-i2c: Use i2c_get_match_data()")
Signed-off-by: Kees Cook <keescook@...omium.org>
---
 drivers/hwmon/nct6775-platform.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/drivers/hwmon/nct6775-platform.c b/drivers/hwmon/nct6775-platform.c
index 0adeeab7ee03..9aa4dcf4a6f3 100644
--- a/drivers/hwmon/nct6775-platform.c
+++ b/drivers/hwmon/nct6775-platform.c
@@ -23,19 +23,19 @@
 enum sensor_access { access_direct, access_asuswmi };
 
 static const char * const nct6775_sio_names[] __initconst = {
-	"NCT6106D",
-	"NCT6116D",
-	"NCT6775F",
-	"NCT6776D/F",
-	"NCT6779D",
-	"NCT6791D",
-	"NCT6792D",
-	"NCT6793D",
-	"NCT6795D",
-	"NCT6796D",
-	"NCT6797D",
-	"NCT6798D",
-	"NCT6796D-S/NCT6799D-R",
+	[nct6106] = "NCT6106D",
+	[nct6116] = "NCT6116D",
+	[nct6775] = "NCT6775F",
+	[nct6776] = "NCT6776D/F",
+	[nct6779] = "NCT6779D",
+	[nct6791] = "NCT6791D",
+	[nct6792] = "NCT6792D",
+	[nct6793] = "NCT6793D",
+	[nct6795] = "NCT6795D",
+	[nct6796] = "NCT6796D",
+	[nct6797] = "NCT6797D",
+	[nct6798] = "NCT6798D",
+	[nct6799] = "NCT6796D-S/NCT6799D-R",
 };
 
 static unsigned short force_id;
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ