linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] media: cxd2880-spi: avoid out-of-bounds access warning
@ 2018-03-13 12:09 Arnd Bergmann
  2018-03-20  3:47 ` Yasunari.Takiguchi
  0 siblings, 1 reply; 2+ messages in thread
From: Arnd Bergmann @ 2018-03-13 12:09 UTC (permalink / raw)
  To: Yasunari Takiguchi, Mauro Carvalho Chehab
  Cc: Arnd Bergmann, Martin Sebor, Toshihiko Matsumoto, Kota Yonezawa,
	Satoshi Watanabe, Masayuki Yamamoto, linux-media, linux-kernel

The -Warray-bounds warning in gcc-8 triggers for a newly added file:

drivers/media/spi/cxd2880-spi.c: In function 'cxd2880_write_reg':
drivers/media/spi/cxd2880-spi.c:111:3: error: 'memcpy' forming offset [133, 258] is out of the bounds [0, 132] of object 'send_data' with type 'u8[132]' {aka 'unsigned char[132]'} [-Werror=array-bounds]

The problem appears to be that we have two range checks in this function,
first comparing against BURST_WRITE_MAX (128) and then comparing against
a literal '255'. The logic checking the buffer size looks at the second
one and decides that this might be the actual maximum data length.

This is understandable behavior from the compiler, but the code is actually
safe. Since the first check is already shorter, we can remove the loop
and only leave that. To be on the safe side in case BURST_WRITE_MAX might
be increased, I'm leaving the check against U8_MAX.

Fixes: bd24fcddf6b8 ("media: cxd2880-spi: Add support for CXD2880 SPI interface")
Cc: Martin Sebor <msebor@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/media/spi/cxd2880-spi.c | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/drivers/media/spi/cxd2880-spi.c b/drivers/media/spi/cxd2880-spi.c
index 4df3bd312f48..011a37c2f272 100644
--- a/drivers/media/spi/cxd2880-spi.c
+++ b/drivers/media/spi/cxd2880-spi.c
@@ -88,7 +88,7 @@ static int cxd2880_write_reg(struct spi_device *spi,
 		pr_err("invalid arg\n");
 		return -EINVAL;
 	}
-	if (size > BURST_WRITE_MAX) {
+	if (size > BURST_WRITE_MAX || size > U8_MAX) {
 		pr_err("data size > WRITE_MAX\n");
 		return -EINVAL;
 	}
@@ -101,24 +101,14 @@ static int cxd2880_write_reg(struct spi_device *spi,
 	send_data[0] = 0x0e;
 	write_data_top = data;
 
-	while (size > 0) {
-		send_data[1] = sub_address;
-		if (size > 255)
-			send_data[2] = 255;
-		else
-			send_data[2] = (u8)size;
+	send_data[1] = sub_address;
+	send_data[2] = (u8)size;
 
-		memcpy(&send_data[3], write_data_top, send_data[2]);
+	memcpy(&send_data[3], write_data_top, send_data[2]);
 
-		ret = cxd2880_write_spi(spi, send_data, send_data[2] + 3);
-		if (ret) {
-			pr_err("write spi failed %d\n", ret);
-			break;
-		}
-		sub_address += send_data[2];
-		write_data_top += send_data[2];
-		size -= send_data[2];
-	}
+	ret = cxd2880_write_spi(spi, send_data, send_data[2] + 3);
+	if (ret)
+		pr_err("write spi failed %d\n", ret);
 
 	return ret;
 }
-- 
2.9.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* RE: [PATCH] media: cxd2880-spi: avoid out-of-bounds access warning
  2018-03-13 12:09 [PATCH] media: cxd2880-spi: avoid out-of-bounds access warning Arnd Bergmann
@ 2018-03-20  3:47 ` Yasunari.Takiguchi
  0 siblings, 0 replies; 2+ messages in thread
From: Yasunari.Takiguchi @ 2018-03-20  3:47 UTC (permalink / raw)
  To: arnd, mchehab
  Cc: msebor, Toshihiko.Matsumoto, Kota.Yonezawa, Satoshi.C.Watanabe,
	Masayuki.Yamamoto, linux-media, linux-kernel, Yasunari.Takiguchi

Hi.

We check the patch. 

> -----Original Message-----
> From: Arnd Bergmann [mailto:arnd@arndb.de]
> Sent: Tuesday, March 13, 2018 9:09 PM
> To: Takiguchi, Yasunari (SSS); Mauro Carvalho Chehab
> Cc: Arnd Bergmann; Martin Sebor; Matsumoto, Toshihiko (SSS); Yonezawa,
> Kota (SSS); Watanabe, Satoshi (SSS); Yamamoto, Masayuki (SSS);
> linux-media@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: [PATCH] media: cxd2880-spi: avoid out-of-bounds access warning
> 
> The -Warray-bounds warning in gcc-8 triggers for a newly added file:
> 
> drivers/media/spi/cxd2880-spi.c: In function 'cxd2880_write_reg':
> drivers/media/spi/cxd2880-spi.c:111:3: error: 'memcpy' forming offset
> [133, 258] is out of the bounds [0, 132] of object 'send_data' with type
> 'u8[132]' {aka 'unsigned char[132]'} [-Werror=array-bounds]
> 
> The problem appears to be that we have two range checks in this function,
> first comparing against BURST_WRITE_MAX (128) and then comparing against
> a literal '255'. The logic checking the buffer size looks at the second
> one and decides that this might be the actual maximum data length.
> 
> This is understandable behavior from the compiler, but the code is
> actually safe. Since the first check is already shorter, we can remove
> the loop and only leave that. To be on the safe side in case BURST_WRITE_MAX
> might be increased, I'm leaving the check against U8_MAX.
> 
> Fixes: bd24fcddf6b8 ("media: cxd2880-spi: Add support for CXD2880 SPI
> interface")
> Cc: Martin Sebor <msebor@gmail.com>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  drivers/media/spi/cxd2880-spi.c | 24 +++++++-----------------
>  1 file changed, 7 insertions(+), 17 deletions(-)

Reviewed-by: Yasunari Takiguchi <Yasunari.Takiguchi@sony.com>

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-03-20  3:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-13 12:09 [PATCH] media: cxd2880-spi: avoid out-of-bounds access warning Arnd Bergmann
2018-03-20  3:47 ` Yasunari.Takiguchi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).