* drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len'
@ 2022-06-13 4:24 kernel test robot
0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2022-06-13 4:24 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 10237 bytes --]
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Martin Faltesek <mfaltesek@google.com>
CC: Jakub Kicinski <kuba@kernel.org>
CC: Guenter Roeck <groeck@chromium.org>
CC: Krzysztof Kozlowski <krzk@kernel.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3
commit: f2e19b36593caed4c977c2f55aeba7408aeb2132 nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION
date: 4 days ago
:::::: branch date: 5 hours ago
:::::: commit date: 4 days ago
config: i386-randconfig-m031-20220613 (https://download.01.org/0day-ci/archive/20220613/202206131240.rND1EfVM-lkp(a)intel.com/config)
compiler: gcc-11 (Debian 11.3.0-3) 11.3.0
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len'
Old smatch warnings:
drivers/nfc/st21nfca/se.c:337 st21nfca_connectivity_event_received() warn: potential spectre issue 'skb->data' [r]
vim +/params_len +343 drivers/nfc/st21nfca/se.c
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 291
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 292 /*
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 293 * Returns:
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 294 * <= 0: driver handled the event, skb consumed
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 295 * 1: driver does not handle the event, please do standard processing
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 296 */
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 297 int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 298 u8 event, struct sk_buff *skb)
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 299 {
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 300 int r = 0;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 301 struct device *dev = &hdev->ndev->dev;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 302 struct nfc_evt_transaction *transaction;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 303 u32 aid_len;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 304 u8 params_len;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 305
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 306 pr_debug("connectivity gate event: %x\n", event);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 307
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 308 switch (event) {
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 309 case ST21NFCA_EVT_CONNECTIVITY:
72c54c42b29439 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-12-23 310 r = nfc_se_connectivity(hdev->ndev, host);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 311 break;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 312 case ST21NFCA_EVT_TRANSACTION:
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 313 /* According to specification etsi 102 622
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 314 * 11.2.2.4 EVT_TRANSACTION Table 52
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 315 * Description Tag Length
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 316 * AID 81 5 to 16
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 317 * PARAMETERS 82 0 to 255
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 318 *
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 319 * The key differences are aid storage length is variably sized
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 320 * in the packet, but fixed in nfc_evt_transaction, and that the aid_len
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 321 * is u8 in the packet, but u32 in the structure, and the tags in
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 322 * the packet are not included in nfc_evt_transaction.
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 323 *
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 324 * size in bytes: 1 1 5-16 1 1 0-255
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 325 * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 326 * member name: aid_tag(M) aid_len aid params_tag(M) params_len params
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 327 * example: 0x81 5-16 X 0x82 0-255 X
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 328 */
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 329 if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 330 return -EPROTO;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 331
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 332 aid_len = skb->data[1];
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 333
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 334 if (skb->len < aid_len + 4 || aid_len > sizeof(transaction->aid))
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 335 return -EPROTO;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 336
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 337 params_len = skb->data[aid_len + 3];
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 338
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 339 /* Verify PARAMETERS tag is (82), and final check that there is enough
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 340 * space in the packet to read everything.
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 341 */
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 342 if ((skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG) ||
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 @343 (skb->len < aid_len + 4 + params_len))
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 344 return -EPROTO;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 345
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 346 transaction = devm_kzalloc(dev, sizeof(*transaction) + params_len, GFP_KERNEL);
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 347 if (!transaction)
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 348 return -ENOMEM;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 349
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 350 transaction->aid_len = aid_len;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 351 transaction->params_len = params_len;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 352
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 353 memcpy(transaction->aid, &skb->data[2], aid_len);
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 354 memcpy(transaction->params, &skb->data[aid_len + 4], params_len);
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 355
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 356 r = nfc_se_transaction(hdev->ndev, host, transaction);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 357 break;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 358 default:
a9e062d0599f49 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-10-25 359 nfc_err(&hdev->ndev->dev, "Unexpected event on connectivity gate\n");
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 360 return 1;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 361 }
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 362 kfree_skb(skb);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 363 return r;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 364 }
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 365 EXPORT_SYMBOL(st21nfca_connectivity_event_received);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 366
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 3+ messages in thread
* drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len'
@ 2023-05-15 12:20 kernel test robot
0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2023-05-15 12:20 UTC (permalink / raw)
To: oe-kbuild; +Cc: lkp, Dan Carpenter
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Martin Faltesek <mfaltesek@google.com>
CC: Jakub Kicinski <kuba@kernel.org>
CC: Guenter Roeck <groeck@chromium.org>
CC: Krzysztof Kozlowski <krzk@kernel.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6
commit: f2e19b36593caed4c977c2f55aeba7408aeb2132 nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION
date: 11 months ago
:::::: branch date: 16 hours ago
:::::: commit date: 11 months ago
config: x86_64-randconfig-m001-20230515 (https://download.01.org/0day-ci/archive/20230515/202305152005.GyEKevc7-lkp@intel.com/config)
compiler: gcc-11 (Debian 11.3.0-12) 11.3.0
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Link: https://lore.kernel.org/r/202305152005.GyEKevc7-lkp@intel.com/
New smatch warnings:
drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len'
Old smatch warnings:
drivers/nfc/st21nfca/se.c:337 st21nfca_connectivity_event_received() warn: potential spectre issue 'skb->data' [r]
vim +/params_len +343 drivers/nfc/st21nfca/se.c
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 291
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 292 /*
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 293 * Returns:
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 294 * <= 0: driver handled the event, skb consumed
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 295 * 1: driver does not handle the event, please do standard processing
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 296 */
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 297 int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 298 u8 event, struct sk_buff *skb)
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 299 {
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 300 int r = 0;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 301 struct device *dev = &hdev->ndev->dev;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 302 struct nfc_evt_transaction *transaction;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 303 u32 aid_len;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 304 u8 params_len;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 305
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 306 pr_debug("connectivity gate event: %x\n", event);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 307
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 308 switch (event) {
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 309 case ST21NFCA_EVT_CONNECTIVITY:
72c54c42b29439 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-12-23 310 r = nfc_se_connectivity(hdev->ndev, host);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 311 break;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 312 case ST21NFCA_EVT_TRANSACTION:
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 313 /* According to specification etsi 102 622
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 314 * 11.2.2.4 EVT_TRANSACTION Table 52
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 315 * Description Tag Length
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 316 * AID 81 5 to 16
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 317 * PARAMETERS 82 0 to 255
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 318 *
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 319 * The key differences are aid storage length is variably sized
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 320 * in the packet, but fixed in nfc_evt_transaction, and that the aid_len
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 321 * is u8 in the packet, but u32 in the structure, and the tags in
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 322 * the packet are not included in nfc_evt_transaction.
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 323 *
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 324 * size in bytes: 1 1 5-16 1 1 0-255
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 325 * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 326 * member name: aid_tag(M) aid_len aid params_tag(M) params_len params
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 327 * example: 0x81 5-16 X 0x82 0-255 X
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 328 */
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 329 if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 330 return -EPROTO;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 331
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 332 aid_len = skb->data[1];
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 333
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 334 if (skb->len < aid_len + 4 || aid_len > sizeof(transaction->aid))
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 335 return -EPROTO;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 336
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 337 params_len = skb->data[aid_len + 3];
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 338
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 339 /* Verify PARAMETERS tag is (82), and final check that there is enough
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 340 * space in the packet to read everything.
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 341 */
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 342 if ((skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG) ||
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 @343 (skb->len < aid_len + 4 + params_len))
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 344 return -EPROTO;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 345
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 346 transaction = devm_kzalloc(dev, sizeof(*transaction) + params_len, GFP_KERNEL);
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 347 if (!transaction)
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 348 return -ENOMEM;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 349
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 350 transaction->aid_len = aid_len;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 351 transaction->params_len = params_len;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 352
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 353 memcpy(transaction->aid, &skb->data[2], aid_len);
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 354 memcpy(transaction->params, &skb->data[aid_len + 4], params_len);
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 355
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 356 r = nfc_se_transaction(hdev->ndev, host, transaction);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 357 break;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 358 default:
a9e062d0599f49 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-10-25 359 nfc_err(&hdev->ndev->dev, "Unexpected event on connectivity gate\n");
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 360 return 1;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 361 }
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 362 kfree_skb(skb);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 363 return r;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 364 }
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 365 EXPORT_SYMBOL(st21nfca_connectivity_event_received);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 366
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
^ permalink raw reply [flat|nested] 3+ messages in thread
* drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len'
@ 2023-03-10 16:23 kernel test robot
0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2023-03-10 16:23 UTC (permalink / raw)
To: oe-kbuild; +Cc: lkp, Dan Carpenter
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Martin Faltesek <mfaltesek@google.com>
CC: Jakub Kicinski <kuba@kernel.org>
CC: Guenter Roeck <groeck@chromium.org>
CC: Krzysztof Kozlowski <krzk@kernel.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 44889ba56cbb3d51154660ccd15818bc77276696
commit: f2e19b36593caed4c977c2f55aeba7408aeb2132 nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION
date: 9 months ago
:::::: branch date: 21 hours ago
:::::: commit date: 9 months ago
config: s390-randconfig-m031-20230310 (https://download.01.org/0day-ci/archive/20230311/202303110021.z36kxnV1-lkp@intel.com/config)
compiler: s390-linux-gcc (GCC) 12.1.0
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Link: https://lore.kernel.org/r/202303110021.z36kxnV1-lkp@intel.com/
New smatch warnings:
drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len'
Old smatch warnings:
drivers/nfc/st21nfca/se.c:337 st21nfca_connectivity_event_received() warn: potential spectre issue 'skb->data' [r]
vim +/params_len +343 drivers/nfc/st21nfca/se.c
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 291
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 292 /*
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 293 * Returns:
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 294 * <= 0: driver handled the event, skb consumed
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 295 * 1: driver does not handle the event, please do standard processing
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 296 */
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 297 int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 298 u8 event, struct sk_buff *skb)
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 299 {
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 300 int r = 0;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 301 struct device *dev = &hdev->ndev->dev;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 302 struct nfc_evt_transaction *transaction;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 303 u32 aid_len;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 304 u8 params_len;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 305
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 306 pr_debug("connectivity gate event: %x\n", event);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 307
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 308 switch (event) {
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 309 case ST21NFCA_EVT_CONNECTIVITY:
72c54c42b29439 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-12-23 310 r = nfc_se_connectivity(hdev->ndev, host);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 311 break;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 312 case ST21NFCA_EVT_TRANSACTION:
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 313 /* According to specification etsi 102 622
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 314 * 11.2.2.4 EVT_TRANSACTION Table 52
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 315 * Description Tag Length
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 316 * AID 81 5 to 16
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 317 * PARAMETERS 82 0 to 255
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 318 *
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 319 * The key differences are aid storage length is variably sized
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 320 * in the packet, but fixed in nfc_evt_transaction, and that the aid_len
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 321 * is u8 in the packet, but u32 in the structure, and the tags in
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 322 * the packet are not included in nfc_evt_transaction.
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 323 *
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 324 * size in bytes: 1 1 5-16 1 1 0-255
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 325 * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 326 * member name: aid_tag(M) aid_len aid params_tag(M) params_len params
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 327 * example: 0x81 5-16 X 0x82 0-255 X
9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 328 */
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 329 if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 330 return -EPROTO;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 331
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 332 aid_len = skb->data[1];
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 333
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 334 if (skb->len < aid_len + 4 || aid_len > sizeof(transaction->aid))
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 335 return -EPROTO;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 336
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 337 params_len = skb->data[aid_len + 3];
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 338
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 339 /* Verify PARAMETERS tag is (82), and final check that there is enough
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 340 * space in the packet to read everything.
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 341 */
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 342 if ((skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG) ||
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 @343 (skb->len < aid_len + 4 + params_len))
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 344 return -EPROTO;
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 345
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 346 transaction = devm_kzalloc(dev, sizeof(*transaction) + params_len, GFP_KERNEL);
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 347 if (!transaction)
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 348 return -ENOMEM;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 349
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 350 transaction->aid_len = aid_len;
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 351 transaction->params_len = params_len;
4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 352
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 353 memcpy(transaction->aid, &skb->data[2], aid_len);
f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 354 memcpy(transaction->params, &skb->data[aid_len + 4], params_len);
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 355
26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 356 r = nfc_se_transaction(hdev->ndev, host, transaction);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 357 break;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 358 default:
a9e062d0599f49 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-10-25 359 nfc_err(&hdev->ndev->dev, "Unexpected event on connectivity gate\n");
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 360 return 1;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 361 }
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 362 kfree_skb(skb);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 363 return r;
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 364 }
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 365 EXPORT_SYMBOL(st21nfca_connectivity_event_received);
2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 366
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-05-15 12:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-13 4:24 drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len' kernel test robot
2023-03-10 16:23 kernel test robot
2023-05-15 12:20 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.