[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45d1bb23-4559-4b38-8d26-8705541df69f@seco.com>
Date: Thu, 7 Mar 2024 11:06:48 -0500
From: Sean Anderson <sean.anderson@...o.com>
To: Aleksandr Mishin <amishin@...rgos.ru>,
Madalin Bucur <madalin.bucur@....com>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Igal Liberman
<igal.liberman@...escale.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] fsl/fman: Add array size check
On 3/7/24 03:04, Aleksandr Mishin wrote:
> [You don't often get email from amishin@...rgos.ru. Learn why this is important at https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2faka.ms%2fLearnAboutSenderIdentification&umid=bdb4cfa6-c48e-4063-9c43-6d5ce09db688&auth=d807158c60b7d2502abde8a2fc01f40662980862-eff8dde9dd9e5b6c3f9e726ab81488b46e7dd147 ]
>
> In fman_register_intr() and fman_unregister_intr()
> get_module_event() is assigned to event which is then used
> as array index without size check.
> Fix this bug by adding a check of event.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 414fd46e7762 (fsl/fman: Add FMan support)
> Signed-off-by: Aleksandr Mishin <amishin@...rgos.ru>
> ---
> drivers/net/ethernet/freescale/fman/fman.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
> index d96028f01770..902d05ffff1b 100644
> --- a/drivers/net/ethernet/freescale/fman/fman.c
> +++ b/drivers/net/ethernet/freescale/fman/fman.c
> @@ -2054,7 +2054,10 @@ void fman_register_intr(struct fman *fman, enum fman_event_modules module,
> int event = 0;
>
> event = get_module_event(module, mod_id, intr_type);
> - WARN_ON(event >= FMAN_EV_CNT);
> + if (event >= FMAN_EV_CNT) {
> + WARN_ON(event >= FMAN_EV_CNT);
> + return;
> + }
>
> /* register in local FM structure */
> fman->intr_mng[event].isr_cb = isr_cb;
> @@ -2079,7 +2082,10 @@ void fman_unregister_intr(struct fman *fman, enum fman_event_modules module,
> int event = 0;
>
> event = get_module_event(module, mod_id, intr_type);
> - WARN_ON(event >= FMAN_EV_CNT);
> + if (event >= FMAN_EV_CNT) {
> + WARN_ON(event >= FMAN_EV_CNT);
> + return;
> + }
>
> fman->intr_mng[event].isr_cb = NULL;
> fman->intr_mng[event].src_handle = NULL;
> --
> 2.30.2
>
Nack. This condition should never occur, that's why we have the WARN_ON.
--Sean
[Embedded World 2024, SECO SpA]<https://www.messe-ticket.de/Nuernberg/embeddedworld2024/Register/ew24517689>
Powered by blists - more mailing lists