From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=uKMd=L7=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EE2B7C07E95
	for <linux-arm-kernel@archiver.kernel.org>; Wed,  7 Jul 2021 17:56:33 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id B001361CC8
	for <linux-arm-kernel@archiver.kernel.org>; Wed,  7 Jul 2021 17:56:33 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B001361CC8
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:
	Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=Eb4YinxW4w5q0XpvaxjgNX9b95i184heq99Zfk2h/18=; b=jZxQFu0viqvaUz
	BzaBN7MWl3so+iy3SxYlRJ2dMEyaw2RbM6Xng0qKmuWS0UtBVNKlZ8/oFYgctzbjamAx48+B12WQo
	fPPkx4prcaKev7dHtX4PvAzv5GXO/UHf8OMWVx0izDh1JfPxXbGT6yheAtCbzT4t/T1Yd6Wb7mBF8
	mnl4kIa3F+AjViJggMqumT9xMbCFx+M97tRNIgwqCNdM9ZAURfoq9Csxb6u/zrFZmWqA8yoKGBFUS
	HQHss4AreGyC5G5aGhk58brhyt3E862u60xvTkw8tUKViKctYsQM2zzqLICDcJqlAjFQnWLIZRFJT
	NWqK7uvANarXMais/EzA==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1m1BlQ-00FRKS-5r; Wed, 07 Jul 2021 17:55:12 +0000
Received: from foss.arm.com ([217.140.110.172])
 by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
 id 1m1BlL-00FRJH-7l
 for linux-arm-kernel@lists.infradead.org; Wed, 07 Jul 2021 17:55:08 +0000
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DE4EC1042;
 Wed,  7 Jul 2021 10:55:02 -0700 (PDT)
Received: from bogus (unknown [10.57.78.75])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 6E9D73F694;
 Wed,  7 Jul 2021 10:55:01 -0700 (PDT)
Date: Wed, 7 Jul 2021 18:54:13 +0100
From: Sudeep Holla <sudeep.holla@arm.com>
To: Cristian Marussi <cristian.marussi@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, kernel test robot <lkp@intel.com>,
 Sudeep Holla <sudeep.holla@arm.com>,
 Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: [PATCH] firmware: arm_scmi: Fix possible scmi_linux_errmap
 buffer overflow
Message-ID: <20210707175400.xq6maswfi2dpbau3@bogus>
References: <20210707135028.1869642-1-sudeep.holla@arm.com>
 <20210707140625.GI17807@e120937-lin>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20210707140625.GI17807@e120937-lin>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210707_105507_368300_A0DDD18D 
X-CRM114-Status: GOOD (  27.52  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Wed, Jul 07, 2021 at 03:06:25PM +0100, Cristian Marussi wrote:
> On Wed, Jul 07, 2021 at 02:50:28PM +0100, Sudeep Holla wrote:
> > The scmi_linux_errmap buffer access index is supposed to depend on the
> > array size to prevent element out of bounds access. It uses SCMI_ERR_MAX
> > to check bounds but that can mismatch with the array size. It also
> > changes the success into -EIO though scmi_linux_errmap is never used in
> > case of success, it is expected to work for success case too.
> > 
> > It is slightly confusing code as the negative of the error code
> > is used as index to the buffer. Fix it by negating it at the start and
> > make it more readable.
> > 
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
> > ---
> >  drivers/firmware/arm_scmi/driver.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > (Based on https://lore.kernel.org/r/20210707134739.1869481-1-sudeep.holla@arm.com)
> > 
> > diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
> > index 66e5e694be7d..2a5c1b3658c4 100644
> > --- a/drivers/firmware/arm_scmi/driver.c
> > +++ b/drivers/firmware/arm_scmi/driver.c
> > @@ -166,8 +166,10 @@ static const int scmi_linux_errmap[] = {
> >  
> >  static inline int scmi_to_linux_errno(int errno)
> >  {
> > -	if (errno < SCMI_SUCCESS && errno > SCMI_ERR_MAX)
> > -		return scmi_linux_errmap[-errno];
> > +	int err_idx = -errno;
> > +
> > +	if (err_idx >= SCMI_SUCCESS && err_idx < ARRAY_SIZE(scmi_linux_errmap))
> > +		return scmi_linux_errmap[err_idx];
> >  	return -EIO;
> >  }
> >  
> Hi,
> 
> Looks good to me; now SCMI_ERR_MAX is not referenced anymore by anyone
> but I suppose is good practice to still keep it as an end-marker for
> scmi_error_codes enum.
>

Good point, I will drop it as there are no users. It can be added later
if needed.

> Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
>

Thanks !

-- 
Regards,
Sudeep

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel