* [bug report] ACPI: NFIT: Define runtime firmware activation commands
@ 2020-11-11 11:30 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2020-11-11 11:30 UTC (permalink / raw)
To: dan.j.williams; +Cc: linux-nvdimm
Hello Dan Williams,
The patch 6450ddbd5d8e: "ACPI: NFIT: Define runtime firmware
activation commands" from Jul 20, 2020, leads to the following static
checker warning:
drivers/acpi/nfit/core.c:481 acpi_nfit_ctl()
error: passing untrusted data 'family' to 'test_bit()'
drivers/acpi/nfit/core.c:483 acpi_nfit_ctl()
warn: uncapped user index 'acpi_desc->family_dsm_mask[family]'
drivers/acpi/nfit/core.c
435 int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
436 unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc)
437 {
438 struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
439 struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
440 union acpi_object in_obj, in_buf, *out_obj;
441 const struct nd_cmd_desc *desc = NULL;
442 struct device *dev = acpi_desc->dev;
443 struct nd_cmd_pkg *call_pkg = NULL;
444 const char *cmd_name, *dimm_name;
445 unsigned long cmd_mask, dsm_mask;
446 u32 offset, fw_status = 0;
447 acpi_handle handle;
448 const guid_t *guid;
449 int func, rc, i;
450 int family = 0;
451
452 if (cmd_rc)
453 *cmd_rc = -EINVAL;
454
455 if (cmd == ND_CMD_CALL)
456 call_pkg = buf;
^^^^^^^^^^^^^^^
If cmd == ND_CMD_CALL then call_pkg is controlled by the user.
457 func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);
cmd_to_func() checks "call_pkg->nd_family" but only if nfit_mem is
non-NULL.
458 if (func < 0)
459 return func;
460
461 if (nvdimm) {
462 struct acpi_device *adev = nfit_mem->adev;
463
464 if (!adev)
465 return -ENOTTY;
466
467 dimm_name = nvdimm_name(nvdimm);
468 cmd_name = nvdimm_cmd_name(cmd);
469 cmd_mask = nvdimm_cmd_mask(nvdimm);
470 dsm_mask = nfit_mem->dsm_mask;
471 desc = nd_cmd_dimm_desc(cmd);
472 guid = to_nfit_uuid(nfit_mem->family);
473 handle = adev->handle;
474 } else {
475 struct acpi_device *adev = to_acpi_dev(acpi_desc);
476
477 cmd_name = nvdimm_bus_cmd_name(cmd);
478 cmd_mask = nd_desc->cmd_mask;
479 if (cmd == ND_CMD_CALL && call_pkg->nd_family) {
480 family = call_pkg->nd_family;
481 if (!test_bit(family, &nd_desc->bus_family_mask))
^^^^^^
if "family" is more BITS_PER_LONG then this will overflow.
482 return -EINVAL;
483 dsm_mask = acpi_desc->family_dsm_mask[family];
^^^^^^^^^^^^^^^^^^^^^^^
484 guid = to_nfit_bus_uuid(family);
485 } else {
486 dsm_mask = acpi_desc->bus_dsm_mask;
487 guid = to_nfit_uuid(NFIT_DEV_BUS);
488 }
489 desc = nd_cmd_bus_desc(cmd);
490 handle = adev->handle;
491 dimm_name = "bus";
492 }
493
494 if (!desc || (cmd && (desc->out_num + desc->in_num == 0)))
495 return -ENOTTY;
496
497 /*
498 * Check for a valid command. For ND_CMD_CALL, we also have to
499 * make sure that the DSM function is supported.
500 */
501 if (cmd == ND_CMD_CALL &&
regards,
dan carpenter
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-11 11:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11 11:30 [bug report] ACPI: NFIT: Define runtime firmware activation commands Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).