lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <66573e2f.050a0220.4afa0.0925@mx.google.com>
Date: Wed, 29 May 2024 16:39:42 +0200
From: Christian Marangi <ansuelsmth@...il.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: oe-kbuild@...ts.linux.dev, Pavel Machek <pavel@....cz>,
	Lee Jones <lee@...nel.org>, Rob Herring <robh@...nel.org>,
	Krzysztof Kozlowski <krzk@...nel.org>,
	Conor Dooley <conor+dt@...nel.org>,
	Jacek Anaszewski <jacek.anaszewski@...il.com>,
	linux-leds@...r.kernel.org, devicetree@...r.kernel.org,
	linux-kernel@...r.kernel.org, lkp@...el.com,
	oe-kbuild-all@...ts.linux.dev
Subject: Re: [PATCH v3 3/3] leds: leds-lp5569: Add support for Texas
 Instruments LP5569

On Wed, May 29, 2024 at 05:32:16PM +0300, Dan Carpenter wrote:
> Hi Christian,
> 
> kernel test robot noticed the following build warnings:
> 
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
> 
> url:    https://github.com/intel-lab-lkp/linux/commits/Christian-Marangi/dt-bindings-leds-lp55xx-Add-new-ti-lp5569-compatible/20240527-174959
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/lee/leds.git for-leds-next
> patch link:    https://lore.kernel.org/r/20240527094737.13354-3-ansuelsmth%40gmail.com
> patch subject: [PATCH v3 3/3] leds: leds-lp5569: Add support for Texas Instruments LP5569
> config: sparc-randconfig-r071-20240528 (https://download.01.org/0day-ci/archive/20240528/202405280611.QUICzlRj-lkp@intel.com/config)
> compiler: sparc-linux-gcc (GCC) 13.2.0
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@...el.com>
> | Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
> | Closes: https://lore.kernel.org/r/202405280611.QUICzlRj-lkp@intel.com/
> 
> New smatch warnings:
> drivers/leds/leds-lp5569.c:378 lp5569_update_program_memory() error: buffer overflow 'pattern' 128 <= 223
> 
> vim +/pattern +378 drivers/leds/leds-lp5569.c
> 
> ed7ae4f43e228c Christian Marangi 2024-05-27  340  static int lp5569_update_program_memory(struct lp55xx_chip *chip,
> ed7ae4f43e228c Christian Marangi 2024-05-27  341  					const u8 *data, size_t size)
> ed7ae4f43e228c Christian Marangi 2024-05-27  342  {
> ed7ae4f43e228c Christian Marangi 2024-05-27  343  	enum lp55xx_engine_index idx = chip->engine_idx;
> ed7ae4f43e228c Christian Marangi 2024-05-27  344  	u8 pattern[LP5569_PROGRAM_LENGTH] = {0};
> ed7ae4f43e228c Christian Marangi 2024-05-27  345  	unsigned int cmd;
> ed7ae4f43e228c Christian Marangi 2024-05-27  346  	char c[3];
> ed7ae4f43e228c Christian Marangi 2024-05-27  347  	int nrchars;
> ed7ae4f43e228c Christian Marangi 2024-05-27  348  	int ret;
> ed7ae4f43e228c Christian Marangi 2024-05-27  349  	int offset = 0;
> ed7ae4f43e228c Christian Marangi 2024-05-27  350  	int page, i = 0;
> ed7ae4f43e228c Christian Marangi 2024-05-27  351  
> ed7ae4f43e228c Christian Marangi 2024-05-27  352  	while ((offset < size - 1) && (i < LP5569_PROGRAM_LENGTH)) {
> ed7ae4f43e228c Christian Marangi 2024-05-27  353  		/* separate sscanfs because length is working only for %s */
> ed7ae4f43e228c Christian Marangi 2024-05-27  354  		ret = sscanf(data + offset, "%2s%n ", c, &nrchars);
> ed7ae4f43e228c Christian Marangi 2024-05-27  355  		if (ret != 1)
> ed7ae4f43e228c Christian Marangi 2024-05-27  356  			goto err;
> ed7ae4f43e228c Christian Marangi 2024-05-27  357  
> ed7ae4f43e228c Christian Marangi 2024-05-27  358  		ret = sscanf(c, "%2x", &cmd);
> ed7ae4f43e228c Christian Marangi 2024-05-27  359  		if (ret != 1)
> ed7ae4f43e228c Christian Marangi 2024-05-27  360  			goto err;
> ed7ae4f43e228c Christian Marangi 2024-05-27  361  
> ed7ae4f43e228c Christian Marangi 2024-05-27  362  		pattern[i] = (u8)cmd;
> ed7ae4f43e228c Christian Marangi 2024-05-27  363  		offset += nrchars;
> ed7ae4f43e228c Christian Marangi 2024-05-27  364  		i++;
> ed7ae4f43e228c Christian Marangi 2024-05-27  365  	}
> ed7ae4f43e228c Christian Marangi 2024-05-27  366  
> ed7ae4f43e228c Christian Marangi 2024-05-27  367  	/* Each instruction is 16bit long. Check that length is even */
> ed7ae4f43e228c Christian Marangi 2024-05-27  368  	if (i % 2)
> ed7ae4f43e228c Christian Marangi 2024-05-27  369  		goto err;
> ed7ae4f43e228c Christian Marangi 2024-05-27  370  
> ed7ae4f43e228c Christian Marangi 2024-05-27  371  	for (page = 0; page < LP5569_PROGRAM_LENGTH / LP5569_BYTES_PER_PAGE; page++) {
> ed7ae4f43e228c Christian Marangi 2024-05-27  372  		/* Write to the next page each 32 bytes */
> ed7ae4f43e228c Christian Marangi 2024-05-27  373  		lp55xx_write(chip, LP5569_REG_PROG_PAGE_SEL,
> ed7ae4f43e228c Christian Marangi 2024-05-27  374  			     LP5569_PAGE_ENG(idx) + page);
> ed7ae4f43e228c Christian Marangi 2024-05-27  375  
> ed7ae4f43e228c Christian Marangi 2024-05-27  376  		for (i = 0; i < LP5569_PROGRAM_LENGTH; i++) {
> ed7ae4f43e228c Christian Marangi 2024-05-27  377  			ret = lp55xx_write(chip, LP5569_REG_PROG_MEM + i,
> ed7ae4f43e228c Christian Marangi 2024-05-27 @378  					   pattern[i + (page * LP5569_BYTES_PER_PAGE)]);
>                                                                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> i can co up to LP5569_PROGRAM_LENGTH and "page * LP5569_BYTES_PER_PAGE"
> can also go up to LP5569_PROGRAM_LENGTH.  So we're 2x beyond the end of
> the array.
>

Yes the second loop max value should have been LP5569_BYTES_PER_PAGE,
totally a copy paste error on my side.

Thanks a lot for warning about this bug, will send new version with this
fixed.

> ed7ae4f43e228c Christian Marangi 2024-05-27  379  			if (ret)
> ed7ae4f43e228c Christian Marangi 2024-05-27  380  				return -EINVAL;
> ed7ae4f43e228c Christian Marangi 2024-05-27  381  		}
> ed7ae4f43e228c Christian Marangi 2024-05-27  382  	}
> ed7ae4f43e228c Christian Marangi 2024-05-27  383  
> ed7ae4f43e228c Christian Marangi 2024-05-27  384  
> ed7ae4f43e228c Christian Marangi 2024-05-27  385  	return size;
> ed7ae4f43e228c Christian Marangi 2024-05-27  386  
> ed7ae4f43e228c Christian Marangi 2024-05-27  387  err:
> ed7ae4f43e228c Christian Marangi 2024-05-27  388  	dev_err(&chip->cl->dev, "wrong pattern format\n");
> ed7ae4f43e228c Christian Marangi 2024-05-27  389  	return -EINVAL;
> ed7ae4f43e228c Christian Marangi 2024-05-27  390  }
> 
> -- 
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
> 

-- 
	Ansuel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ