From: Evgeny Novikov <novikov@ispras.ru>
To: "David E. Box" <david.e.box@linux.intel.com>,
irenic.rajneesh@gmail.com, gayatri.kammela@intel.com,
hdegoede@redhat.com, mgross@linux.intel.com,
andy.shevchenko@gmail.com
Cc: platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] platform/x86: intel_pmc_core: Prevent possibile overflow
Date: Wed, 4 Aug 2021 13:48:53 +0300 [thread overview]
Message-ID: <159dec07-9f05-3a92-8b7d-3d2f27448f70@ispras.ru> (raw)
In-Reply-To: <20210804003039.359138-1-david.e.box@linux.intel.com>
Hi David,
Your patch fixes the out of bound issue, but I have another concern
regarding possible incomplete initialization of first 8 elements of the
lpm_priority array that is declared on the stack and is not initialized,
say, with zeroes. Yet again due to some invalid values coming from the
register, it is not guaranteed that something meaningful will be
assigned for all first 8 elements of lpm_priority in the first cycle in
pmc_core_get_low_power_modes(). In the second cycle this function
accesses all these elements from lpm_priority. Though there is test
"!(BIT(mode) & lpm_en)", it can pass accidentally, thus some unexpected
values can be stored to "pmcdev->lpm_en_modes[i++]" and exposed later.
Best regards,
Evgeny Novikov
On 04.08.2021 03:30, David E. Box wrote:
> Low Power Mode (LPM) priority is encoded in 4 bits. Yet, this value is used
> as an index to an array whose element size was less than 16, leading to the
> possibility of overflow should we read a larger than expected priority. Set
> the array size to 16 to prevent this.
>
> Reported-by: Evgeny Novikov <novikov@ispras.ru>
> Signed-off-by: David E. Box <david.e.box@linux.intel.com>
> ---
> drivers/platform/x86/intel_pmc_core.c | 2 +-
> drivers/platform/x86/intel_pmc_core.h | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c
> index b0e486a6bdfb..2a761fe98277 100644
> --- a/drivers/platform/x86/intel_pmc_core.c
> +++ b/drivers/platform/x86/intel_pmc_core.c
> @@ -1451,7 +1451,7 @@ DEFINE_SHOW_ATTRIBUTE(pmc_core_pkgc);
>
> static void pmc_core_get_low_power_modes(struct pmc_dev *pmcdev)
> {
> - u8 lpm_priority[LPM_MAX_NUM_MODES];
> + u8 lpm_priority[LPM_MAX_PRI];
> u32 lpm_en;
> int mode, i, p;
>
> diff --git a/drivers/platform/x86/intel_pmc_core.h b/drivers/platform/x86/intel_pmc_core.h
> index e8dae9c6c45f..b98c2b44c938 100644
> --- a/drivers/platform/x86/intel_pmc_core.h
> +++ b/drivers/platform/x86/intel_pmc_core.h
> @@ -190,6 +190,7 @@ enum ppfear_regs {
> #define LPM_MAX_NUM_MODES 8
> #define GET_X2_COUNTER(v) ((v) >> 1)
> #define LPM_STS_LATCH_MODE BIT(31)
> +#define LPM_MAX_PRI 16 /* size of 4 bits */
>
> #define TGL_PMC_SLP_S0_RES_COUNTER_STEP 0x7A
> #define TGL_PMC_LTR_THC0 0x1C04
next prev parent reply other threads:[~2021-08-04 10:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 18:11 [PATCH] platform/x86: intel_pmc_core: Fix potential buffer overflows Evgeny Novikov
2021-08-03 18:26 ` Andy Shevchenko
2021-08-03 18:30 ` Andy Shevchenko
2021-08-04 9:43 ` Evgeny Novikov
2021-08-03 21:49 ` David E. Box
2021-08-04 0:30 ` [PATCH] platform/x86: intel_pmc_core: Prevent possibile overflow David E. Box
2021-08-04 10:48 ` Evgeny Novikov [this message]
2021-08-04 21:51 ` David E. Box
2021-08-05 16:21 ` Evgeny Novikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=159dec07-9f05-3a92-8b7d-3d2f27448f70@ispras.ru \
--to=novikov@ispras.ru \
--cc=andy.shevchenko@gmail.com \
--cc=david.e.box@linux.intel.com \
--cc=gayatri.kammela@intel.com \
--cc=hdegoede@redhat.com \
--cc=irenic.rajneesh@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mgross@linux.intel.com \
--cc=platform-driver-x86@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).