| Message ID | 20200916194045.6378-1-novikov@ispras.ru (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mtd: rawnand: mtk: avoid underflow in mtk_nfc_nand_chip_init() | expand |
Hi Evgeny, Evgeny Novikov <novikov@ispras.ru> wrote on Wed, 16 Sep 2020 22:40:45 +0300: > If of_get_property() will set nsels to negative values the driver may Is this really a possible case? Looking at the OF code, I don't think it can ever happen... > allocate insufficient memory for chip. Moreover, there may be underflow > for devm_kzalloc(). This can result in various bad consequences later. > The patch causes mtk_nfc_nand_chip_init() to fail for negative values of > nsels. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Evgeny Novikov <novikov@ispras.ru> > --- > drivers/mtd/nand/raw/mtk_nand.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c > index ad1b55dab211..df98a2eec240 100644 > --- a/drivers/mtd/nand/raw/mtk_nand.c > +++ b/drivers/mtd/nand/raw/mtk_nand.c > @@ -1376,7 +1376,7 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc, > return -ENODEV; > > nsels /= sizeof(u32); > - if (!nsels || nsels > MTK_NAND_MAX_NSELS) { > + if (nsels <= 0 || nsels > MTK_NAND_MAX_NSELS) { > dev_err(dev, "invalid reg property size %d\n", nsels); > return -EINVAL; > } Thanks, Miquèl
Hi Miquel, 17.09.2020, 19:30, "Miquel Raynal" <miquel.raynal@bootlin.com>: > Hi Evgeny, > > Evgeny Novikov <novikov@ispras.ru> wrote on Wed, 16 Sep 2020 22:40:45 > +0300: > >> If of_get_property() will set nsels to negative values the driver may > > Is this really a possible case? > > Looking at the OF code, I don't think it can ever happen... I do not know whether this is possible now or it will be possible one day in the future. Our tool assumed that this can happen according to the type (int). Also, I can not find any driver that may suffer from this. Two examples where negative cases are forbidden intentionally or unintentionally: - drivers/sbus/char/openprom.c - drivers/video/fbdev/omap2/omapfb/dss/dsi.c Best regards, Evgeny >> allocate insufficient memory for chip. Moreover, there may be underflow >> for devm_kzalloc(). This can result in various bad consequences later. >> The patch causes mtk_nfc_nand_chip_init() to fail for negative values of >> nsels. >> >> Found by Linux Driver Verification project (linuxtesting.org). >> >> Signed-off-by: Evgeny Novikov <novikov@ispras.ru> >> --- >> drivers/mtd/nand/raw/mtk_nand.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c >> index ad1b55dab211..df98a2eec240 100644 >> --- a/drivers/mtd/nand/raw/mtk_nand.c >> +++ b/drivers/mtd/nand/raw/mtk_nand.c >> @@ -1376,7 +1376,7 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc, >> return -ENODEV; >> >> nsels /= sizeof(u32); >> - if (!nsels || nsels > MTK_NAND_MAX_NSELS) { >> + if (nsels <= 0 || nsels > MTK_NAND_MAX_NSELS) { >> dev_err(dev, "invalid reg property size %d\n", nsels); >> return -EINVAL; >> } > > Thanks, > Miquèl
diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c index ad1b55dab211..df98a2eec240 100644 --- a/drivers/mtd/nand/raw/mtk_nand.c +++ b/drivers/mtd/nand/raw/mtk_nand.c @@ -1376,7 +1376,7 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc, return -ENODEV; nsels /= sizeof(u32); - if (!nsels || nsels > MTK_NAND_MAX_NSELS) { + if (nsels <= 0 || nsels > MTK_NAND_MAX_NSELS) { dev_err(dev, "invalid reg property size %d\n", nsels); return -EINVAL; }
If of_get_property() will set nsels to negative values the driver may allocate insufficient memory for chip. Moreover, there may be underflow for devm_kzalloc(). This can result in various bad consequences later. The patch causes mtk_nfc_nand_chip_init() to fail for negative values of nsels. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov <novikov@ispras.ru> --- drivers/mtd/nand/raw/mtk_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)