From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 159BFC19F2B for ; Mon, 1 Aug 2022 19:05:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=3ahp/96PufjeoyHGtQmA3sBSRyGxtwmlIhvJU8N2R+0=; b=XXlcNEaD4vlHdq g7ac45V/SfOzlk1MSP4lWnfRnrGBu3ezWLLTiicrPfUV7dCcwYSEx2PjA23q5CBJd2bRRht548aEp 3v36sw3BiMFnC18vu296GB9Mak208EOeC7Ku9EavwGT9+XYqxg/aexI6bgz1myvlIV3HiY48aza58 gt90r3IKm+nDQYI+tLIVexaQ4EhAfASCWM3P+fahbClnX/1D3TSGhH6Z7ZPJ3Ls9uQB9OotCbaOtD ORJbEQUJ2A8IQiEnR1SKar1k+tZxAbyHtwNJ5eC3jd+KG4jV19GBR3n9WjodTsUNZbtPnxgjGvahX lm+OLbLrno8akf7YGWDw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oIaiB-009bcg-Na; Mon, 01 Aug 2022 19:04:19 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oIai0-009bSe-3y for linux-arm-kernel@lists.infradead.org; Mon, 01 Aug 2022 19:04:09 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B0DBB61254; Mon, 1 Aug 2022 19:04:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0370C4314D; Mon, 1 Aug 2022 19:04:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1659380647; bh=eJ/v+3pMrhsCBUeLH+bTGVxMH9aUHe0sDu0CXot8KL8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b7MK7Zurgdhpxt6JZdcyxOuQ+U4GZhrPLyQHOXFD30Jo9TKypZkt2n60n7/2Yibz0 WBfseF7wNmbU0Fr+ZchXvFyRDqYbqb0k5PKAd6hytp+fKhgqb1SDdAwqCSF6iqAZxG QUyAc6a2vWvVlhj+Hw/LeWA3oBfJwvlxdEvSRzul13ZHR5goSZI2rp+92S7Zy2P+2p JzLIUfpMXAjqHS80eYhJcfXmTiEjqI3gdygd9DiD4SfFcKF3wQsHJdHNNxn2DeIY7g czEPA6jtv6OX6Cjl3SDoBjGzec+zo0M3XvxXhTalPKppml2dxFgb5Ey6IxQLTiA+9K DOD7WVLk2d9jg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: "Russell King (Oracle)" , Guenter Roeck , Sasha Levin , linux@armlinux.org.uk, linux-arm-kernel@lists.infradead.org Subject: [PATCH AUTOSEL 4.9 3/3] ARM: findbit: fix overflowing offset Date: Mon, 1 Aug 2022 15:03:58 -0400 Message-Id: <20220801190359.3820214-3-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220801190359.3820214-1-sashal@kernel.org> References: <20220801190359.3820214-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220801_120408_213755_9C1DDE28 X-CRM114-Status: GOOD ( 13.77 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: "Russell King (Oracle)" [ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] When offset is larger than the size of the bit array, we should not attempt to access the array as we can perform an access beyond the end of the array. Fix this by changing the pre-condition. Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since this will always take the branch when r1 is zero, irrespective of the value of r2. This means we can fix this bug without adding any additional code! Tested-by: Guenter Roeck Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin --- arch/arm/lib/findbit.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S index 7848780e8834..20fef6c41f6f 100644 --- a/arch/arm/lib/findbit.S +++ b/arch/arm/lib/findbit.S @@ -43,8 +43,8 @@ ENDPROC(_find_first_zero_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_zero_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -84,8 +84,8 @@ ENDPROC(_find_first_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -118,8 +118,8 @@ ENTRY(_find_first_zero_bit_be) ENDPROC(_find_first_zero_bit_be) ENTRY(_find_next_zero_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering @@ -152,8 +152,8 @@ ENTRY(_find_first_bit_be) ENDPROC(_find_first_bit_be) ENTRY(_find_next_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering -- 2.35.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C45B4C00144 for ; Mon, 1 Aug 2022 19:07:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234969AbiHATHp (ORCPT ); Mon, 1 Aug 2022 15:07:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234727AbiHATHO (ORCPT ); Mon, 1 Aug 2022 15:07:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7ABF37FB2; Mon, 1 Aug 2022 12:04:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C1B1EB81646; Mon, 1 Aug 2022 19:04:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0370C4314D; Mon, 1 Aug 2022 19:04:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1659380647; bh=eJ/v+3pMrhsCBUeLH+bTGVxMH9aUHe0sDu0CXot8KL8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b7MK7Zurgdhpxt6JZdcyxOuQ+U4GZhrPLyQHOXFD30Jo9TKypZkt2n60n7/2Yibz0 WBfseF7wNmbU0Fr+ZchXvFyRDqYbqb0k5PKAd6hytp+fKhgqb1SDdAwqCSF6iqAZxG QUyAc6a2vWvVlhj+Hw/LeWA3oBfJwvlxdEvSRzul13ZHR5goSZI2rp+92S7Zy2P+2p JzLIUfpMXAjqHS80eYhJcfXmTiEjqI3gdygd9DiD4SfFcKF3wQsHJdHNNxn2DeIY7g czEPA6jtv6OX6Cjl3SDoBjGzec+zo0M3XvxXhTalPKppml2dxFgb5Ey6IxQLTiA+9K DOD7WVLk2d9jg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: "Russell King (Oracle)" , Guenter Roeck , Sasha Levin , linux@armlinux.org.uk, linux-arm-kernel@lists.infradead.org Subject: [PATCH AUTOSEL 4.9 3/3] ARM: findbit: fix overflowing offset Date: Mon, 1 Aug 2022 15:03:58 -0400 Message-Id: <20220801190359.3820214-3-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220801190359.3820214-1-sashal@kernel.org> References: <20220801190359.3820214-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Russell King (Oracle)" [ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] When offset is larger than the size of the bit array, we should not attempt to access the array as we can perform an access beyond the end of the array. Fix this by changing the pre-condition. Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since this will always take the branch when r1 is zero, irrespective of the value of r2. This means we can fix this bug without adding any additional code! Tested-by: Guenter Roeck Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin --- arch/arm/lib/findbit.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S index 7848780e8834..20fef6c41f6f 100644 --- a/arch/arm/lib/findbit.S +++ b/arch/arm/lib/findbit.S @@ -43,8 +43,8 @@ ENDPROC(_find_first_zero_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_zero_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -84,8 +84,8 @@ ENDPROC(_find_first_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -118,8 +118,8 @@ ENTRY(_find_first_zero_bit_be) ENDPROC(_find_first_zero_bit_be) ENTRY(_find_next_zero_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering @@ -152,8 +152,8 @@ ENTRY(_find_first_bit_be) ENDPROC(_find_first_bit_be) ENTRY(_find_next_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering -- 2.35.1