* [bug report] ACPI: NFIT: Define runtime firmware activation commands
@ 2020-11-11 11:30 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2020-11-11 11:30 UTC (permalink / raw)
To: dan.j.williams; +Cc: linux-nvdimm
Hello Dan Williams,
The patch 6450ddbd5d8e: "ACPI: NFIT: Define runtime firmware
activation commands" from Jul 20, 2020, leads to the following static
checker warning:
drivers/acpi/nfit/core.c:481 acpi_nfit_ctl()
error: passing untrusted data 'family' to 'test_bit()'
drivers/acpi/nfit/core.c:483 acpi_nfit_ctl()
warn: uncapped user index 'acpi_desc->family_dsm_mask[family]'
drivers/acpi/nfit/core.c
435 int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
436 unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc)
437 {
438 struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
439 struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
440 union acpi_object in_obj, in_buf, *out_obj;
441 const struct nd_cmd_desc *desc = NULL;
442 struct device *dev = acpi_desc->dev;
443 struct nd_cmd_pkg *call_pkg = NULL;
444 const char *cmd_name, *dimm_name;
445 unsigned long cmd_mask, dsm_mask;
446 u32 offset, fw_status = 0;
447 acpi_handle handle;
448 const guid_t *guid;
449 int func, rc, i;
450 int family = 0;
451
452 if (cmd_rc)
453 *cmd_rc = -EINVAL;
454
455 if (cmd == ND_CMD_CALL)
456 call_pkg = buf;
^^^^^^^^^^^^^^^
If cmd == ND_CMD_CALL then call_pkg is controlled by the user.
457 func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);
cmd_to_func() checks "call_pkg->nd_family" but only if nfit_mem is
non-NULL.
458 if (func < 0)
459 return func;
460
461 if (nvdimm) {
462 struct acpi_device *adev = nfit_mem->adev;
463
464 if (!adev)
465 return -ENOTTY;
466
467 dimm_name = nvdimm_name(nvdimm);
468 cmd_name = nvdimm_cmd_name(cmd);
469 cmd_mask = nvdimm_cmd_mask(nvdimm);
470 dsm_mask = nfit_mem->dsm_mask;
471 desc = nd_cmd_dimm_desc(cmd);
472 guid = to_nfit_uuid(nfit_mem->family);
473 handle = adev->handle;
474 } else {
475 struct acpi_device *adev = to_acpi_dev(acpi_desc);
476
477 cmd_name = nvdimm_bus_cmd_name(cmd);
478 cmd_mask = nd_desc->cmd_mask;
479 if (cmd == ND_CMD_CALL && call_pkg->nd_family) {
480 family = call_pkg->nd_family;
481 if (!test_bit(family, &nd_desc->bus_family_mask))
^^^^^^
if "family" is more BITS_PER_LONG then this will overflow.
482 return -EINVAL;
483 dsm_mask = acpi_desc->family_dsm_mask[family];
^^^^^^^^^^^^^^^^^^^^^^^
484 guid = to_nfit_bus_uuid(family);
485 } else {
486 dsm_mask = acpi_desc->bus_dsm_mask;
487 guid = to_nfit_uuid(NFIT_DEV_BUS);
488 }
489 desc = nd_cmd_bus_desc(cmd);
490 handle = adev->handle;
491 dimm_name = "bus";
492 }
493
494 if (!desc || (cmd && (desc->out_num + desc->in_num == 0)))
495 return -ENOTTY;
496
497 /*
498 * Check for a valid command. For ND_CMD_CALL, we also have to
499 * make sure that the DSM function is supported.
500 */
501 if (cmd == ND_CMD_CALL &&
regards,
dan carpenter
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-11 11:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11 11:30 [bug report] ACPI: NFIT: Define runtime firmware activation commands Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.