| Message ID | 20200226195826.6567-1-colin.king@canonical.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | [V2] backlight: sky81452: insure while loop does not allow negative array indexing | expand |
On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > In the unlikely event that num_entry is zero, the while loop > pre-decrements num_entry to cause negative array indexing into the > array sources. Fix this by iterating only if num_entry >= 0. > > Addresses-Coverity: ("Out-of-bounds read") > Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > > V2: fix typo in commit subject line Isn't the correct spelling "ensure"? > --- > drivers/video/backlight/sky81452-backlight.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c > index 2355f00f5773..f456930ce78e 100644 > --- a/drivers/video/backlight/sky81452-backlight.c > +++ b/drivers/video/backlight/sky81452-backlight.c > @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( > } > > pdata->enable = 0; > - while (--num_entry) > + while (--num_entry >= 0) > pdata->enable |= (1 << sources[num_entry]); This look still looks buggy to me (so I'd second Walter's request to change it to a for loop). If the code genuinely does not contain a bug then it probably needs a prominent comment explaining why it is correct not to honour sources[0]! Daniel.
On Thu, Feb 27, 2020 at 11:46:23AM +0000, Daniel Thompson wrote: > On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote: > > From: Colin Ian King <colin.king@canonical.com> > > > > In the unlikely event that num_entry is zero, the while loop > > pre-decrements num_entry to cause negative array indexing into the > > array sources. Fix this by iterating only if num_entry >= 0. > > > > Addresses-Coverity: ("Out-of-bounds read") > > Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") > > Signed-off-by: Colin Ian King <colin.king@canonical.com> > > --- > > > > V2: fix typo in commit subject line > > Isn't the correct spelling "ensure"? > > > > --- > > drivers/video/backlight/sky81452-backlight.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c > > index 2355f00f5773..f456930ce78e 100644 > > --- a/drivers/video/backlight/sky81452-backlight.c > > +++ b/drivers/video/backlight/sky81452-backlight.c > > @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( > > } > > > > pdata->enable = 0; > > - while (--num_entry) > > + while (--num_entry >= 0) > > pdata->enable |= (1 << sources[num_entry]); > > This look still looks buggy to me (so I'd second Walter's request to > change it to a for loop). If the code genuinely does not contain a > bug then it probably needs a prominent comment explaining why it is > correct not to honour sources[0]! Ignore the "still looks buggy". A mental mis-step when switching contexts... I think my English is still correct though ;-) Daniel.
On 27/02/2020 11:46, Daniel Thompson wrote: > On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote: >> From: Colin Ian King <colin.king@canonical.com> >> >> In the unlikely event that num_entry is zero, the while loop >> pre-decrements num_entry to cause negative array indexing into the >> array sources. Fix this by iterating only if num_entry >= 0. >> >> Addresses-Coverity: ("Out-of-bounds read") >> Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") >> Signed-off-by: Colin Ian King <colin.king@canonical.com> >> --- >> >> V2: fix typo in commit subject line > > Isn't the correct spelling "ensure"? It is. V1 is correct after all. Doh. > > >> --- >> drivers/video/backlight/sky81452-backlight.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c >> index 2355f00f5773..f456930ce78e 100644 >> --- a/drivers/video/backlight/sky81452-backlight.c >> +++ b/drivers/video/backlight/sky81452-backlight.c >> @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( >> } >> >> pdata->enable = 0; >> - while (--num_entry) >> + while (--num_entry >= 0) >> pdata->enable |= (1 << sources[num_entry]); > > This look still looks buggy to me (so I'd second Walter's request to > change it to a for loop). If the code genuinely does not contain a > bug then it probably needs a prominent comment explaining why it is > correct not to honour sources[0]! > > > Daniel. >
On Thu, Feb 27, 2020 at 03:10:43PM +0000, Colin Ian King wrote: > On 27/02/2020 11:46, Daniel Thompson wrote: > > On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote: > >> From: Colin Ian King <colin.king@canonical.com> > >> > >> In the unlikely event that num_entry is zero, the while loop > >> pre-decrements num_entry to cause negative array indexing into the > >> array sources. Fix this by iterating only if num_entry >= 0. > >> > >> Addresses-Coverity: ("Out-of-bounds read") > >> Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") > >> Signed-off-by: Colin Ian King <colin.king@canonical.com> > >> --- > >> > >> V2: fix typo in commit subject line > > > > Isn't the correct spelling "ensure"? > > It is. V1 is correct after all. Doh. It wasn't spelt "ensure" in v1... Daniel.
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c index 2355f00f5773..f456930ce78e 100644 --- a/drivers/video/backlight/sky81452-backlight.c +++ b/drivers/video/backlight/sky81452-backlight.c @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( } pdata->enable = 0; - while (--num_entry) + while (--num_entry >= 0) pdata->enable |= (1 << sources[num_entry]); }