| Message ID | 20151109122455.GA28870@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, 2015-11-09 at 15:24 +0300, Dan Carpenter wrote: > Smatch complains about a possible out of bounds error: > > drivers/vfio/pci/vfio_pci_config.c:1241 vfio_cap_init() > error: buffer overflow 'pci_cap_length' 20 <= 20 > > The problem is that pci_cap_length[] was defined as large enough to > hold "PCI_CAP_ID_AF + 1" elements. The code in vfio_cap_init() assumes > it has PCI_CAP_ID_MAX + 1 elements. Originally, PCI_CAP_ID_AF and > PCI_CAP_ID_MAX were the same but then we introduced PCI_CAP_ID_EA in > f80b0ba95964 ('PCI: Add Enhanced Allocation register entries') so now > the array is too small. > > Let's fix this by making the array size PCI_CAP_ID_MAX + 1. And let's > make a similar change to pci_ext_cap_length[] for consistency. Also > both these arrays can be made const. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- Applied to next for v4.4. Thanks! Alex -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c index a8657ef..fe2b470 100644 --- a/drivers/vfio/pci/vfio_pci_config.c +++ b/drivers/vfio/pci/vfio_pci_config.c @@ -46,7 +46,7 @@ * 0: Removed from the user visible capability list * FF: Variable length */ -static u8 pci_cap_length[] = { +static const u8 pci_cap_length[PCI_CAP_ID_MAX + 1] = { [PCI_CAP_ID_BASIC] = PCI_STD_HEADER_SIZEOF, /* pci config header */ [PCI_CAP_ID_PM] = PCI_PM_SIZEOF, [PCI_CAP_ID_AGP] = PCI_AGP_SIZEOF, @@ -74,7 +74,7 @@ static u8 pci_cap_length[] = { * 0: Removed or masked from the user visible capabilty list * FF: Variable length */ -static u16 pci_ext_cap_length[] = { +static const u16 pci_ext_cap_length[PCI_EXT_CAP_ID_MAX + 1] = { [PCI_EXT_CAP_ID_ERR] = PCI_ERR_ROOT_COMMAND, [PCI_EXT_CAP_ID_VC] = 0xFF, [PCI_EXT_CAP_ID_DSN] = PCI_EXT_CAP_DSN_SIZEOF,
Smatch complains about a possible out of bounds error: drivers/vfio/pci/vfio_pci_config.c:1241 vfio_cap_init() error: buffer overflow 'pci_cap_length' 20 <= 20 The problem is that pci_cap_length[] was defined as large enough to hold "PCI_CAP_ID_AF + 1" elements. The code in vfio_cap_init() assumes it has PCI_CAP_ID_MAX + 1 elements. Originally, PCI_CAP_ID_AF and PCI_CAP_ID_MAX were the same but then we introduced PCI_CAP_ID_EA in f80b0ba95964 ('PCI: Add Enhanced Allocation register entries') so now the array is too small. Let's fix this by making the array size PCI_CAP_ID_MAX + 1. And let's make a similar change to pci_ext_cap_length[] for consistency. Also both these arrays can be made const. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: more cleanups -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html