diff mbox series

ARM: dma-mapping: fix out of bounds access in CMA

Message ID 20210323131423.2581218-1-arnd@kernel.org (mailing list archive)
State New, archived
Headers show
Series ARM: dma-mapping: fix out of bounds access in CMA | expand

Commit Message

Arnd Bergmann March 23, 2021, 1:14 p.m. UTC 
From: Arnd Bergmann <arnd@arndb.de>

Dereferencing a zero-length array is always a bug, and we get a warning
with 'make W=1' here:

arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup':
arch/arm/mm/dma-mapping.c:395:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
  395 |  dma_mmu_remap[dma_mmu_remap_num].base = base;
      |  ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap'
  389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata;
      |                                        ^~~~~~~~~~~~~
arch/arm/mm/dma-mapping.c:396:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]

Add a runtime check to prevent this from happening, while also
avoiding the compile-time warning.

Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 arch/arm/mm/dma-mapping.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Russell King (Oracle) March 23, 2021, 1:28 p.m. UTC | #1 
On Tue, Mar 23, 2021 at 02:14:13PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> Dereferencing a zero-length array is always a bug, and we get a warning
> with 'make W=1' here:
> 
> arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup':
> arch/arm/mm/dma-mapping.c:395:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
>   395 |  dma_mmu_remap[dma_mmu_remap_num].base = base;
>       |  ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap'
>   389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata;
>       |                                        ^~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:396:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
> 
> Add a runtime check to prevent this from happening, while also
> avoiding the compile-time warning.
> 
> Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  arch/arm/mm/dma-mapping.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index c4b8df2ad328..af29344fb150 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata;
>  
>  void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
>  {
> +	if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) {
> +		WARN_ONCE(1, "number of CMA areas\n");
> +		return;
> +	}
> +

What if dma_mmu_remap_num were negative - that condition is not checked
and will also result in an overflow of the array. If we're being fussy
enough to bounds check, we ought to do it properly.

So, I think a better solution would be to make dma_mmu_remap_num an
unsigned int, and then to use:

	if (dma_mmu_remap_num >= ARRAY_SIZE(dma_mmu_remap)) {
		...
	}

which is really the condition we're after here.
diff mbox series

Patch

diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index c4b8df2ad328..af29344fb150 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -392,6 +392,11 @@  static int dma_mmu_remap_num __initdata;
 
 void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
 {
+	if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) {
+		WARN_ONCE(1, "number of CMA areas\n");
+		return;
+	}
+
 	dma_mmu_remap[dma_mmu_remap_num].base = base;
 	dma_mmu_remap[dma_mmu_remap_num].size = size;
 	dma_mmu_remap_num++;
@@ -400,6 +405,10 @@  void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
 void __init dma_contiguous_remap(void)
 {
 	int i;
+
+	if (!MAX_CMA_AREAS)
+		return;
+
 	for (i = 0; i < dma_mmu_remap_num; i++) {
 		phys_addr_t start = dma_mmu_remap[i].base;
 		phys_addr_t end = start + dma_mmu_remap[i].size;