All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow
@ 2021-07-07 13:50 Sudeep Holla
  2021-07-07 14:06 ` Cristian Marussi
  2021-07-14 16:36 ` Sudeep Holla
  0 siblings, 2 replies; 4+ messages in thread
From: Sudeep Holla @ 2021-07-07 13:50 UTC (permalink / raw)
  To: linux-arm-kernel
  Cc: Sudeep Holla, Cristian Marussi, kernel test robot, Dan Carpenter

The scmi_linux_errmap buffer access index is supposed to depend on the
array size to prevent element out of bounds access. It uses SCMI_ERR_MAX
to check bounds but that can mismatch with the array size. It also
changes the success into -EIO though scmi_linux_errmap is never used in
case of success, it is expected to work for success case too.

It is slightly confusing code as the negative of the error code
is used as index to the buffer. Fix it by negating it at the start and
make it more readable.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
---
 drivers/firmware/arm_scmi/driver.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(Based on https://lore.kernel.org/r/20210707134739.1869481-1-sudeep.holla@arm.com)

diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
index 66e5e694be7d..2a5c1b3658c4 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -166,8 +166,10 @@ static const int scmi_linux_errmap[] = {
 
 static inline int scmi_to_linux_errno(int errno)
 {
-	if (errno < SCMI_SUCCESS && errno > SCMI_ERR_MAX)
-		return scmi_linux_errmap[-errno];
+	int err_idx = -errno;
+
+	if (err_idx >= SCMI_SUCCESS && err_idx < ARRAY_SIZE(scmi_linux_errmap))
+		return scmi_linux_errmap[err_idx];
 	return -EIO;
 }
 
-- 
2.25.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow
  2021-07-07 13:50 [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow Sudeep Holla
@ 2021-07-07 14:06 ` Cristian Marussi
  2021-07-07 17:54   ` Sudeep Holla
  2021-07-14 16:36 ` Sudeep Holla
  1 sibling, 1 reply; 4+ messages in thread
From: Cristian Marussi @ 2021-07-07 14:06 UTC (permalink / raw)
  To: Sudeep Holla; +Cc: linux-arm-kernel, kernel test robot, Dan Carpenter

On Wed, Jul 07, 2021 at 02:50:28PM +0100, Sudeep Holla wrote:
> The scmi_linux_errmap buffer access index is supposed to depend on the
> array size to prevent element out of bounds access. It uses SCMI_ERR_MAX
> to check bounds but that can mismatch with the array size. It also
> changes the success into -EIO though scmi_linux_errmap is never used in
> case of success, it is expected to work for success case too.
> 
> It is slightly confusing code as the negative of the error code
> is used as index to the buffer. Fix it by negating it at the start and
> make it more readable.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
> ---
>  drivers/firmware/arm_scmi/driver.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> (Based on https://lore.kernel.org/r/20210707134739.1869481-1-sudeep.holla@arm.com)
> 
> diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
> index 66e5e694be7d..2a5c1b3658c4 100644
> --- a/drivers/firmware/arm_scmi/driver.c
> +++ b/drivers/firmware/arm_scmi/driver.c
> @@ -166,8 +166,10 @@ static const int scmi_linux_errmap[] = {
>  
>  static inline int scmi_to_linux_errno(int errno)
>  {
> -	if (errno < SCMI_SUCCESS && errno > SCMI_ERR_MAX)
> -		return scmi_linux_errmap[-errno];
> +	int err_idx = -errno;
> +
> +	if (err_idx >= SCMI_SUCCESS && err_idx < ARRAY_SIZE(scmi_linux_errmap))
> +		return scmi_linux_errmap[err_idx];
>  	return -EIO;
>  }
>  
Hi,

Looks good to me; now SCMI_ERR_MAX is not referenced anymore by anyone
but I suppose is good practice to still keep it as an end-marker for
scmi_error_codes enum.

Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>

Thanks,
Cristian

> -- 
> 2.25.1
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow
  2021-07-07 14:06 ` Cristian Marussi
@ 2021-07-07 17:54   ` Sudeep Holla
  0 siblings, 0 replies; 4+ messages in thread
From: Sudeep Holla @ 2021-07-07 17:54 UTC (permalink / raw)
  To: Cristian Marussi
  Cc: linux-arm-kernel, kernel test robot, Sudeep Holla, Dan Carpenter

On Wed, Jul 07, 2021 at 03:06:25PM +0100, Cristian Marussi wrote:
> On Wed, Jul 07, 2021 at 02:50:28PM +0100, Sudeep Holla wrote:
> > The scmi_linux_errmap buffer access index is supposed to depend on the
> > array size to prevent element out of bounds access. It uses SCMI_ERR_MAX
> > to check bounds but that can mismatch with the array size. It also
> > changes the success into -EIO though scmi_linux_errmap is never used in
> > case of success, it is expected to work for success case too.
> > 
> > It is slightly confusing code as the negative of the error code
> > is used as index to the buffer. Fix it by negating it at the start and
> > make it more readable.
> > 
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
> > ---
> >  drivers/firmware/arm_scmi/driver.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > (Based on https://lore.kernel.org/r/20210707134739.1869481-1-sudeep.holla@arm.com)
> > 
> > diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
> > index 66e5e694be7d..2a5c1b3658c4 100644
> > --- a/drivers/firmware/arm_scmi/driver.c
> > +++ b/drivers/firmware/arm_scmi/driver.c
> > @@ -166,8 +166,10 @@ static const int scmi_linux_errmap[] = {
> >  
> >  static inline int scmi_to_linux_errno(int errno)
> >  {
> > -	if (errno < SCMI_SUCCESS && errno > SCMI_ERR_MAX)
> > -		return scmi_linux_errmap[-errno];
> > +	int err_idx = -errno;
> > +
> > +	if (err_idx >= SCMI_SUCCESS && err_idx < ARRAY_SIZE(scmi_linux_errmap))
> > +		return scmi_linux_errmap[err_idx];
> >  	return -EIO;
> >  }
> >  
> Hi,
> 
> Looks good to me; now SCMI_ERR_MAX is not referenced anymore by anyone
> but I suppose is good practice to still keep it as an end-marker for
> scmi_error_codes enum.
>

Good point, I will drop it as there are no users. It can be added later
if needed.

> Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
>

Thanks !

-- 
Regards,
Sudeep

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow
  2021-07-07 13:50 [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow Sudeep Holla
  2021-07-07 14:06 ` Cristian Marussi
@ 2021-07-14 16:36 ` Sudeep Holla
  1 sibling, 0 replies; 4+ messages in thread
From: Sudeep Holla @ 2021-07-14 16:36 UTC (permalink / raw)
  To: linux-arm-kernel, Sudeep Holla
  Cc: Dan Carpenter, Cristian Marussi, kernel test robot

On Wed, 7 Jul 2021 14:50:28 +0100, Sudeep Holla wrote:
> The scmi_linux_errmap buffer access index is supposed to depend on the
> array size to prevent element out of bounds access. It uses SCMI_ERR_MAX
> to check bounds but that can mismatch with the array size. It also
> changes the success into -EIO though scmi_linux_errmap is never used in
> case of success, it is expected to work for success case too.
> 
> It is slightly confusing code as the negative of the error code
> is used as index to the buffer. Fix it by negating it at the start and
> make it more readable.

Applied to sudeep.holla/linux (for-next/scmi), thanks!

[1/1] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow
      https://git.kernel.org/sudeep.holla/c/7a691f16cc

--
Regards,
Sudeep


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-14 16:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-07 13:50 [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow Sudeep Holla
2021-07-07 14:06 ` Cristian Marussi
2021-07-07 17:54   ` Sudeep Holla
2021-07-14 16:36 ` Sudeep Holla

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.