From: Russell King - ARM Linux admin <linux@armlinux.org.uk>
To: Arnd Bergmann <arnd@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
Kyungmin Park <kyungmin.park@samsung.com>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ARM: dma-mapping: fix out of bounds access in CMA
Date: Tue, 23 Mar 2021 13:28:50 +0000 [thread overview]
Message-ID: <20210323132850.GB1463@shell.armlinux.org.uk> (raw)
In-Reply-To: <20210323131423.2581218-1-arnd@kernel.org>
On Tue, Mar 23, 2021 at 02:14:13PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> Dereferencing a zero-length array is always a bug, and we get a warning
> with 'make W=1' here:
>
> arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup':
> arch/arm/mm/dma-mapping.c:395:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
> 395 | dma_mmu_remap[dma_mmu_remap_num].base = base;
> | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap'
> 389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata;
> | ^~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:396:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
>
> Add a runtime check to prevent this from happening, while also
> avoiding the compile-time warning.
>
> Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> arch/arm/mm/dma-mapping.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index c4b8df2ad328..af29344fb150 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata;
>
> void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
> {
> + if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) {
> + WARN_ONCE(1, "number of CMA areas\n");
> + return;
> + }
> +
What if dma_mmu_remap_num were negative - that condition is not checked
and will also result in an overflow of the array. If we're being fussy
enough to bounds check, we ought to do it properly.
So, I think a better solution would be to make dma_mmu_remap_num an
unsigned int, and then to use:
if (dma_mmu_remap_num >= ARRAY_SIZE(dma_mmu_remap)) {
...
}
which is really the condition we're after here.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!
WARNING: multiple messages have this Message-ID (diff)
From: Russell King - ARM Linux admin <linux@armlinux.org.uk>
To: Arnd Bergmann <arnd@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
Kyungmin Park <kyungmin.park@samsung.com>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ARM: dma-mapping: fix out of bounds access in CMA
Date: Tue, 23 Mar 2021 13:28:50 +0000 [thread overview]
Message-ID: <20210323132850.GB1463@shell.armlinux.org.uk> (raw)
In-Reply-To: <20210323131423.2581218-1-arnd@kernel.org>
On Tue, Mar 23, 2021 at 02:14:13PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> Dereferencing a zero-length array is always a bug, and we get a warning
> with 'make W=1' here:
>
> arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup':
> arch/arm/mm/dma-mapping.c:395:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
> 395 | dma_mmu_remap[dma_mmu_remap_num].base = base;
> | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap'
> 389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata;
> | ^~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:396:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
>
> Add a runtime check to prevent this from happening, while also
> avoiding the compile-time warning.
>
> Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> arch/arm/mm/dma-mapping.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index c4b8df2ad328..af29344fb150 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata;
>
> void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
> {
> + if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) {
> + WARN_ONCE(1, "number of CMA areas\n");
> + return;
> + }
> +
What if dma_mmu_remap_num were negative - that condition is not checked
and will also result in an overflow of the array. If we're being fussy
enough to bounds check, we ought to do it properly.
So, I think a better solution would be to make dma_mmu_remap_num an
unsigned int, and then to use:
if (dma_mmu_remap_num >= ARRAY_SIZE(dma_mmu_remap)) {
...
}
which is really the condition we're after here.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-03-23 13:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-23 13:14 [PATCH] ARM: dma-mapping: fix out of bounds access in CMA Arnd Bergmann
2021-03-23 13:14 ` Arnd Bergmann
2021-03-23 13:28 ` Russell King - ARM Linux admin [this message]
2021-03-23 13:28 ` Russell King - ARM Linux admin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210323132850.GB1463@shell.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=arnd@arndb.de \
--cc=arnd@kernel.org \
--cc=kyungmin.park@samsung.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=tsbogend@alpha.franken.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.