From patchwork Thu Jun 23 09:22:20 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 9194757
Return-Path: <linux-fbdev-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	19FAB6075C for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Thu, 23 Jun 2016 09:23:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 07FD91FF1C
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Thu, 23 Jun 2016 09:23:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EEF0A28440; Thu, 23 Jun 2016 09:23:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F8101FF1C
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Thu, 23 Jun 2016 09:23:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751646AbcFWJXc (ORCPT
	<rfc822;patchwork-linux-fbdev@patchwork.kernel.org>);
	Thu, 23 Jun 2016 05:23:32 -0400
Received: from mout.kundenserver.de ([217.72.192.73]:64453 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751504AbcFWJX3 (ORCPT
	<rfc822;linux-fbdev@vger.kernel.org>);
	Thu, 23 Jun 2016 05:23:29 -0400
Received: from wuerfel.localnet ([78.42.132.4]) by mrelayeu.kundenserver.de
	(mreue102) with ESMTPSA (Nemesis) id 0MOAxo-1bLX7U3jEK-005coj;
	Thu, 23 Jun 2016 11:20:09 +0200
From: Arnd Bergmann <arnd@arndb.de>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>,
	Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>,
	Ingo Molnar <mingo@kernel.org>, "Luis R. Rodriguez" <mcgrof@suse.com>,
	Borislav Petkov <bp@suse.de>,
	Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] fbdev: atyfb: fix array overflow
Date: Thu, 23 Jun 2016 11:22:20 +0200
Message-ID: <4371798.3NSA9GRDBu@wuerfel>
User-Agent: KMail/5.1.3 (Linux/4.4.0-22-generic; KDE/5.18.0; x86_64; ; )
In-Reply-To: 
 <CAMuHMdUrrsVe_H0DwaRoJepYcMm50Yb4d500dia4Ou8kEaBioA@mail.gmail.com>
References: <20160622123822.1262383-1-arnd@arndb.de>
	<CAMuHMdUrrsVe_H0DwaRoJepYcMm50Yb4d500dia4Ou8kEaBioA@mail.gmail.com>
MIME-Version: 1.0
X-Provags-ID: V03:K0:xDkXAj+Yjh+wod9Ds7qU0w6mwDzdZ64WGq7AiBSytc63D5D29Go
	IW3Q8tUwzm5IjBdFrflCys+ADYVqEvD+uJXclDlprCB14C2FG1YF5e0WFgmsY61YPmR5WqF
	Rn8ZWzrVr8Q8HyXEKYWQ6Ew1Ik43SgAa5W8dpFZTrXbuJk3s1Yvyz0JDhr999DvQtnmoovM
	yJWzPUCCTavC8VlvybVSg==
X-UI-Out-Filterresults: notjunk:1; V01:K0:9xt11K3c1lQ=:B+NJzUgHXkb+cc43JoXAJi
	zDeRWWQ4i44XC2tO9MAerMeugdzdFyxIXkuAgn5puDJ+sT2g6bYU9H33Mh80CbiEGlRCuvkM4
	U+xOs/cAmEMkajGNXaQZGTiawLrCTZNkNNnoNTv3zEVKieAJ56Wyl7tY0D2e+0RWo5iqnQ+If
	UvIDBtTM+eDmx5qzk6JZGz3W0Xt7jN2eWhjotWxn4bz9hNab2AKSflVdH9uyQL5o5xWwTaY9u
	Ah+xnQlPuF5nRPbWFzb0YsFXrLwlD6P5HiECunze4+JEBcOZs9zoNGD6CJuAi+eiBZGhB7af5
	f/3NZNHh7PkkxknJlsOvaElU2+zm4qHjCm65+GC6bkFp8strXaHScXA81//Dcm9TURbCa/N2S
	k2UiiewRxmjy+cDopxU0uv+8BsG2Nz0+bFf7h76cuJGxZ41Whrtzl4IyRyMQgHRgVVbHbBoDp
	3usk2IVRcqydheCTfxBIdHvG/4YnjRwA0jo7qvpDbml5rQrYkngtz+8mkr2YvwZTR4e7iyLpj
	+ABGmw/j6y/2YjA/QXi+2RU6ZbCEE4XOQj/xoa5eiGdDIjQ/nkOshPZEH54o74Z+q8CxW5xm2
	zGWc+hOHAQxljnU8cg3P/yllq52Arg2YQzUGUrOG6zIIq88mI11rDL6mVY9v0BC9/TD5a0ZPV
	XAiL7e6b9z377ebTRbjeFQ6rUme3N0n8KMLxf1rYPc+2eSJtdWrwDoVk2+pvFNquKgCH6y97z
	VEx4qdQhi2Csw3uZ
Sender: linux-fbdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fbdev.vger.kernel.org>
X-Mailing-List: linux-fbdev@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Thursday, June 23, 2016 10:50:04 AM CEST Geert Uytterhoeven wrote:
> Hi Arnd,
> 
> On Wed, Jun 22, 2016 at 2:37 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> > When building with CONFIG_UBSAN_SANITIZE_ALL on ARM, I get this
> > gcc warning for atyfb:
> >
> > drivers/video/fbdev/aty/atyfb_base.c: In function 'aty_bl_update_status':
> > drivers/video/fbdev/aty/atyfb_base.c:167:33: warning: array subscript is above array bounds [-Warray-bounds]
> > drivers/video/fbdev/aty/atyfb_base.c:152:26: warning: array subscript is above array bounds [-Warray-bounds]
> >
> > Apparently the warning is correct and there is indeed an overflow,
> > which was never caught. I could only reproduce this on ARM and
> > have opened a bug against the compiler for the lack of warning.
> >
> > This patch makes the array larger, so we cover all possible
> > registers in the LCD controller without an overflow.
> >
> > Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> > Link: https://bugs.linaro.org/show_bug.cgi?id=2349
> > ---
> >  drivers/video/fbdev/aty/atyfb_base.c | 2 +-
> >  include/video/mach64.h               | 1 +
> >  2 files changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> > index 001d3d871800..36ffba152eab 100644
> > --- a/drivers/video/fbdev/aty/atyfb_base.c
> > +++ b/drivers/video/fbdev/aty/atyfb_base.c
> > @@ -134,7 +134,7 @@
> >
> >  #if defined(CONFIG_PM) || defined(CONFIG_PMAC_BACKLIGHT) || \
> >  defined (CONFIG_FB_ATY_GENERIC_LCD) || defined(CONFIG_FB_ATY_BACKLIGHT)
> > -static const u32 lt_lcd_regs[] = {
> > +static const u32 lt_lcd_regs[LCD_REG_NUM] = {
> >         CNFG_PANEL_LG,
> >         LCD_GEN_CNTL_LG,
> >         DSTN_CONTROL_LG,
> > diff --git a/include/video/mach64.h b/include/video/mach64.h
> > index 89e91c0cb737..9f74e9e0aeb8 100644
> > --- a/include/video/mach64.h
> > +++ b/include/video/mach64.h
> > @@ -1299,6 +1299,7 @@
> >  #define APC_LUT_KL             0x38
> >  #define APC_LUT_MN             0x39
> >  #define APC_LUT_OP             0x3A
> > +#define LCD_REG_NUM            0x3B /* total number */
> >
> >  /* Values in LCD_GEN_CTRL */
> >  #define CRT_ON                          0x00000001ul
> 
> This doesn't look like the right fix to me.
> 
> Before, aty_st_lcd(LCD_MISC_CNTL, reg, par) in aty_bl_update_status()
> wrote into an arbitrary register.
> With your fix, it will write to register 0, which is IMHO also not OK.

Ok, I see now. I thought it array was for initializing the registers and
caching the contents as some other drivers do it, but it's really used
for some indirect addressing method.

> I think aty_st_lcd() and aty_ld_lcd() should check whether the index is
> out of range, perhaps even with a WARN_ON()?

Just guessing what the right behavior would be, maybe something like
this? That would assume that the LCD_MISC_CNTL is accessible
through LCD_INDEX/LCD_DATA but not through a direct register.

	Arnd
---
To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
index 36ffba152eab..c67d4b767e9a 100644
--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -148,7 +148,7 @@ static const u32 lt_lcd_regs[LCD_REG_NUM] = {
 
 void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
 {
-	if (M64_HAS(LT_LCD_REGS)) {
+	if (M64_HAS(LT_LCD_REGS) && index < ARRAY_SIZE(lt_lcd_regs)) {
 		aty_st_le32(lt_lcd_regs[index], val, par);
 	} else {
 		unsigned long temp;
@@ -163,7 +163,7 @@ void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
 
 u32 aty_ld_lcd(int index, const struct atyfb_par *par)
 {
-	if (M64_HAS(LT_LCD_REGS)) {
+	if (M64_HAS(LT_LCD_REGS) && index < ARRAY_SIZE(lt_lcd_regs)) {
 		return aty_ld_le32(lt_lcd_regs[index], par);
 	} else {
 		unsigned long temp;