* Coverity: mcp251xfd_dump_rx_ring(): Memory - illegal accesses
@ 2021-03-31 21:59 coverity-bot
2021-04-01 7:49 ` Marc Kleine-Budde
0 siblings, 1 reply; 3+ messages in thread
From: coverity-bot @ 2021-03-31 21:59 UTC (permalink / raw)
To: Marc Kleine-Budde; +Cc: Gustavo A. R. Silva, linux-next
Hello!
This is an experimental semi-automated report about issues detected by
Coverity from a scan of next-20210331 as part of the linux-next scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan
You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:
None
e0ab3dd5f98f ("can: mcp251xfd: add dev coredump support")
Coverity reported the following:
*** CID 1503585: Memory - illegal accesses (OVERRUN)
/drivers/net/can/spi/mcp251xfd/mcp251xfd-dump.c: 190 in mcp251xfd_dump_rx_ring()
184 static void mcp251xfd_dump_rx_ring(const struct mcp251xfd_priv *priv,
185 struct mcp251xfd_dump_iter *iter)
186 {
187 struct mcp251xfd_rx_ring *rx_ring;
188 unsigned int i;
189
vvv CID 1503585: Memory - illegal accesses (OVERRUN)
vvv Overrunning array of 1 8-byte elements at element index 1 (byte offset 15) by dereferencing pointer "priv->rx + i".
190 mcp251xfd_for_each_rx_ring(priv, rx_ring, i)
191 mcp251xfd_dump_rx_ring_one(priv, iter, rx_ring);
192 }
193
194 static void mcp251xfd_dump_tx_ring(const struct mcp251xfd_priv *priv,
195 struct mcp251xfd_dump_iter *iter)
If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1503585 ("Memory - illegal accesses")
Fixes: e0ab3dd5f98f ("can: mcp251xfd: add dev coredump support")
Thanks for your attention!
--
Coverity-bot
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Coverity: mcp251xfd_dump_rx_ring(): Memory - illegal accesses
2021-03-31 21:59 Coverity: mcp251xfd_dump_rx_ring(): Memory - illegal accesses coverity-bot
@ 2021-04-01 7:49 ` Marc Kleine-Budde
2021-04-01 20:37 ` Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: Marc Kleine-Budde @ 2021-04-01 7:49 UTC (permalink / raw)
To: coverity-bot; +Cc: Gustavo A. R. Silva, linux-next, linux-can
[-- Attachment #1: Type: text/plain, Size: 2906 bytes --]
On 31.03.2021 14:59:44, coverity-bot wrote:
> This is an experimental semi-automated report about issues detected by
> Coverity from a scan of next-20210331 as part of the linux-next scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
>
> You're getting this email because you were associated with the identified
> lines of code (noted below) that were touched by commits:
>
> None
> e0ab3dd5f98f ("can: mcp251xfd: add dev coredump support")
>
> Coverity reported the following:
>
> *** CID 1503585: Memory - illegal accesses (OVERRUN)
> /drivers/net/can/spi/mcp251xfd/mcp251xfd-dump.c: 190 in mcp251xfd_dump_rx_ring()
> 184 static void mcp251xfd_dump_rx_ring(const struct mcp251xfd_priv *priv,
> 185 struct mcp251xfd_dump_iter *iter)
> 186 {
> 187 struct mcp251xfd_rx_ring *rx_ring;
> 188 unsigned int i;
> 189
> vvv CID 1503585: Memory - illegal accesses (OVERRUN)
> vvv Overrunning array of 1 8-byte elements at element index 1 (byte offset 15) by dereferencing pointer "priv->rx + i".
> 190 mcp251xfd_for_each_rx_ring(priv, rx_ring, i)
> 191 mcp251xfd_dump_rx_ring_one(priv, iter, rx_ring);
mcp251xfd_for_each_rx_ring is a macro that iterates over all RX rings in
the struct mcp251xfd_priv. It's not pretty (as it uses its arguments
more than once), but it works:
| #define mcp251xfd_for_each_rx_ring(priv, ring, n) \
| for ((n) = 0, (ring) = *((priv)->rx + (n)); \
| (n) < (priv)->rx_ring_num; \
| (n)++, (ring) = *((priv)->rx + (n)))
For now there is only one rx ring...
| struct mcp251xfd_priv {
| [...]
| struct mcp251xfd_rx_ring *rx[1];
| u8 rx_ring_num;
| [...]
| }
...and rx_ring_num is initialized as "1".
| for (i = 0;
| i < ARRAY_SIZE(priv->rx) && ram_free >= rx_obj_size;
| i++) {
| [...]
| }
| priv->rx_ring_num = i;
> 192 }
> 193
> 194 static void mcp251xfd_dump_tx_ring(const struct mcp251xfd_priv *priv,
> 195 struct mcp251xfd_dump_iter *iter)
>
> If this is a false positive, please let us know so we can mark it as
> such, or teach the Coverity rules to be smarter. If not, please make
> sure fixes get into linux-next. :) For patches fixing this, please
> include these lines (but double-check the "Fixes" first):
This looks indeed like a false positive to me.
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1503585 ("Memory - illegal accesses")
> Fixes: e0ab3dd5f98f ("can: mcp251xfd: add dev coredump support")
regards,
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung West/Dortmund | Phone: +49-231-2826-924 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Coverity: mcp251xfd_dump_rx_ring(): Memory - illegal accesses
2021-04-01 7:49 ` Marc Kleine-Budde
@ 2021-04-01 20:37 ` Kees Cook
0 siblings, 0 replies; 3+ messages in thread
From: Kees Cook @ 2021-04-01 20:37 UTC (permalink / raw)
To: Marc Kleine-Budde; +Cc: Gustavo A. R. Silva, linux-next, linux-can
On Thu, Apr 01, 2021 at 09:49:04AM +0200, Marc Kleine-Budde wrote:
> On 31.03.2021 14:59:44, coverity-bot wrote:
> > This is an experimental semi-automated report about issues detected by
> > Coverity from a scan of next-20210331 as part of the linux-next scan project:
> > https://scan.coverity.com/projects/linux-next-weekly-scan
> >
> > You're getting this email because you were associated with the identified
> > lines of code (noted below) that were touched by commits:
> >
> > None
> > e0ab3dd5f98f ("can: mcp251xfd: add dev coredump support")
> >
> > Coverity reported the following:
> >
> > *** CID 1503585: Memory - illegal accesses (OVERRUN)
> > /drivers/net/can/spi/mcp251xfd/mcp251xfd-dump.c: 190 in mcp251xfd_dump_rx_ring()
> > 184 static void mcp251xfd_dump_rx_ring(const struct mcp251xfd_priv *priv,
> > 185 struct mcp251xfd_dump_iter *iter)
> > 186 {
> > 187 struct mcp251xfd_rx_ring *rx_ring;
> > 188 unsigned int i;
> > 189
> > vvv CID 1503585: Memory - illegal accesses (OVERRUN)
> > vvv Overrunning array of 1 8-byte elements at element index 1 (byte offset 15) by dereferencing pointer "priv->rx + i".
> > 190 mcp251xfd_for_each_rx_ring(priv, rx_ring, i)
> > 191 mcp251xfd_dump_rx_ring_one(priv, iter, rx_ring);
>
> mcp251xfd_for_each_rx_ring is a macro that iterates over all RX rings in
> the struct mcp251xfd_priv. It's not pretty (as it uses its arguments
> more than once), but it works:
Ah yes; thanks! This is another "for each" macro that that confuses
Coverity. I'll try to silence these...
Thanks for the details and taking a look at it!
-Kees
>
> | #define mcp251xfd_for_each_rx_ring(priv, ring, n) \
> | for ((n) = 0, (ring) = *((priv)->rx + (n)); \
> | (n) < (priv)->rx_ring_num; \
> | (n)++, (ring) = *((priv)->rx + (n)))
>
> For now there is only one rx ring...
>
> | struct mcp251xfd_priv {
> | [...]
> | struct mcp251xfd_rx_ring *rx[1];
> | u8 rx_ring_num;
> | [...]
> | }
>
> ...and rx_ring_num is initialized as "1".
>
> | for (i = 0;
> | i < ARRAY_SIZE(priv->rx) && ram_free >= rx_obj_size;
> | i++) {
> | [...]
> | }
> | priv->rx_ring_num = i;
>
>
> > 192 }
> > 193
> > 194 static void mcp251xfd_dump_tx_ring(const struct mcp251xfd_priv *priv,
> > 195 struct mcp251xfd_dump_iter *iter)
> >
> > If this is a false positive, please let us know so we can mark it as
> > such, or teach the Coverity rules to be smarter. If not, please make
> > sure fixes get into linux-next. :) For patches fixing this, please
> > include these lines (but double-check the "Fixes" first):
>
> This looks indeed like a false positive to me.
>
> > Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> > Addresses-Coverity-ID: 1503585 ("Memory - illegal accesses")
> > Fixes: e0ab3dd5f98f ("can: mcp251xfd: add dev coredump support")
>
> regards,
> Marc
>
> --
> Pengutronix e.K. | Marc Kleine-Budde |
> Embedded Linux | https://www.pengutronix.de |
> Vertretung West/Dortmund | Phone: +49-231-2826-924 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-01 20:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-31 21:59 Coverity: mcp251xfd_dump_rx_ring(): Memory - illegal accesses coverity-bot
2021-04-01 7:49 ` Marc Kleine-Budde
2021-04-01 20:37 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).