Message ID | 20210323131423.2581218-1-arnd@kernel.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ARM: dma-mapping: fix out of bounds access in CMA | expand |
On Tue, Mar 23, 2021 at 02:14:13PM +0100, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > Dereferencing a zero-length array is always a bug, and we get a warning > with 'make W=1' here: > > arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup': > arch/arm/mm/dma-mapping.c:395:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds] > 395 | dma_mmu_remap[dma_mmu_remap_num].base = base; > | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ > arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap' > 389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata; > | ^~~~~~~~~~~~~ > arch/arm/mm/dma-mapping.c:396:15: error: array subscript <unknown> is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds] > > Add a runtime check to prevent this from happening, while also > avoiding the compile-time warning. > > Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem") > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > arch/arm/mm/dma-mapping.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c > index c4b8df2ad328..af29344fb150 100644 > --- a/arch/arm/mm/dma-mapping.c > +++ b/arch/arm/mm/dma-mapping.c > @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata; > > void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size) > { > + if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) { > + WARN_ONCE(1, "number of CMA areas\n"); > + return; > + } > + What if dma_mmu_remap_num were negative - that condition is not checked and will also result in an overflow of the array. If we're being fussy enough to bounds check, we ought to do it properly. So, I think a better solution would be to make dma_mmu_remap_num an unsigned int, and then to use: if (dma_mmu_remap_num >= ARRAY_SIZE(dma_mmu_remap)) { ... } which is really the condition we're after here.
diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c index c4b8df2ad328..af29344fb150 100644 --- a/arch/arm/mm/dma-mapping.c +++ b/arch/arm/mm/dma-mapping.c @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata; void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size) { + if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) { + WARN_ONCE(1, "number of CMA areas\n"); + return; + } + dma_mmu_remap[dma_mmu_remap_num].base = base; dma_mmu_remap[dma_mmu_remap_num].size = size; dma_mmu_remap_num++; @@ -400,6 +405,10 @@ void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size) void __init dma_contiguous_remap(void) { int i; + + if (!MAX_CMA_AREAS) + return; + for (i = 0; i < dma_mmu_remap_num; i++) { phys_addr_t start = dma_mmu_remap[i].base; phys_addr_t end = start + dma_mmu_remap[i].size;