All of lore.kernel.org
 help / color / mirror / Atom feed
* [bug report] Linux-2.6.12-rc2
@ 2016-07-14 22:22 Dan Carpenter
  2016-07-15  3:24 ` Michael Ellerman
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2016-07-14 22:22 UTC (permalink / raw)
  To: linuxppc-dev

Hi PPC Devs,

The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005, leads
to the following static checker warning:

	arch/powerpc/sysdev/ipic.c:783 ipic_set_priority()
	error: buffer overflow 'ipic_info' 95 <= 127

arch/powerpc/sysdev/ipic.c
    36  static struct ipic_info ipic_info[] = {
    37          [1] = {
    38                  .mask   = IPIC_SIMSR_H,
    39                  .prio   = IPIC_SIPRR_C,
    40                  .force  = IPIC_SIFCR_H,
    41                  .bit    = 16,
    42                  .prio_mask = 0,
    43          },

 [ huge 95 element array snipped ]

   500          [94] = {
   501                  .mask   = IPIC_SIMSR_L,
   502                  .prio   = 0,
   503                  .force  = IPIC_SIFCR_L,
   504                  .bit    = 30,
   505          },
   506  };

 [ more code snipped ]

   773  int ipic_set_priority(unsigned int virq, unsigned int priority)
   774  {
   775          struct ipic *ipic = ipic_from_irq(virq);
   776          unsigned int src = virq_to_hw(virq);
   777          u32 temp;
   778  
   779          if (priority > 7)
   780                  return -EINVAL;
   781          if (src > 127)
                    ^^^^^^^^^
We cap this at 127

   782                  return -EINVAL;
   783          if (ipic_info[src].prio == 0)
                    ^^^^^^^^^^^^^^
But we only have 95 elements.  Should the array be larger or should
we >= ARRAY_SIZE(ipic_info) is invalid?

   784                  return -EINVAL;
   785  

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [bug report] Linux-2.6.12-rc2
  2016-07-14 22:22 [bug report] Linux-2.6.12-rc2 Dan Carpenter
@ 2016-07-15  3:24 ` Michael Ellerman
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Ellerman @ 2016-07-15  3:24 UTC (permalink / raw)
  To: Dan Carpenter, linuxppc-dev

Dan Carpenter <dan.carpenter@oracle.com> writes:

> Hi PPC Devs,
>
> The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005, leads

Might want to special case that one :)

> to the following static checker warning:
>
> 	arch/powerpc/sysdev/ipic.c:783 ipic_set_priority()
> 	error: buffer overflow 'ipic_info' 95 <= 127
...
>
>    773  int ipic_set_priority(unsigned int virq, unsigned int priority)
>    774  {
>    775          struct ipic *ipic = ipic_from_irq(virq);
>    776          unsigned int src = virq_to_hw(virq);
>    777          u32 temp;
>    778  
>    779          if (priority > 7)
>    780                  return -EINVAL;
>    781          if (src > 127)
>                     ^^^^^^^^^
> We cap this at 127
>
>    782                  return -EINVAL;
>    783          if (ipic_info[src].prio == 0)
>                     ^^^^^^^^^^^^^^
> But we only have 95 elements.  Should the array be larger or should
> we >= ARRAY_SIZE(ipic_info) is invalid?

I don't know the code personally, but looking at the history it seems new
interrupts are added manually with specific flags.

So testing against ARRAY_SIZE would be the best fix AFAICS.

cheers

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [bug report] Linux-2.6.12-rc2
@ 2017-10-17 21:52 Dan Carpenter
  0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2017-10-17 21:52 UTC (permalink / raw)
  To: Adaptec OEM Raid Solutions; +Cc: linux-scsi

Hey,

This code is older than git is so it probably doesn't matter.  But just
for laughs does anyone know what this should be?

	drivers/scsi/aic7xxx/aic7xxx_core.c:4807 ahc_init_scbdata()
	warn: integer overflow (literal): u32max + 1

drivers/scsi/aic7xxx/aic7xxx_core.c
  4794  
  4795          /*
  4796           * Create our DMA tags.  These tags define the kinds of device
  4797           * accessible memory allocations and memory mappings we will
  4798           * need to perform during normal operation.
  4799           *
  4800           * Unless we need to further restrict the allocation, we rely
  4801           * on the restrictions of the parent dmat, hence the common
  4802           * use of MAXADDR and MAXSIZE.
  4803           */
  4804  
  4805          /* DMA tag for our hardware scb structures */
  4806          if (ahc_dma_tag_create(ahc, ahc->parent_dmat, /*alignment*/1,
  4807                                 /*boundary*/BUS_SPACE_MAXADDR_32BIT + 1,
                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is "0xffffffff + 1" which has an integer overflow so it's a
complicated way to say zero.

  4808                                 /*lowaddr*/BUS_SPACE_MAXADDR_32BIT,
  4809                                 /*highaddr*/BUS_SPACE_MAXADDR,
  4810                                 /*filter*/NULL, /*filterarg*/NULL,
  4811                                 AHC_SCB_MAX_ALLOC * sizeof(struct hardware_scb),
  4812                                 /*nsegments*/1,
  4813                                 /*maxsegsz*/BUS_SPACE_MAXSIZE_32BIT,
  4814                                 /*flags*/0, &scb_data->hscb_dmat) != 0) {
  4815                  goto error_exit;
  4816          }
  4817  
  4818          scb_data->init_level++;
  4819  

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-10-17 21:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-14 22:22 [bug report] Linux-2.6.12-rc2 Dan Carpenter
2016-07-15  3:24 ` Michael Ellerman
2017-10-17 21:52 Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.