diff mbox

[media] atmel-isc: fix off-by-one comparison and out of bounds read issue

Message ID 20170307143047.30082-1-colin.king@canonical.com (mailing list archive)
State New, archived
Headers show

Commit Message

Colin King March 7, 2017, 2:30 p.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

The are only HIST_ENTRIES worth of entries in  hist_entry however the
for-loop is iterating one too many times leasing to a read access off
the end off the array ctrls->hist_entry.  Fix this by iterating by
the correct number of times.

Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/media/platform/atmel/atmel-isc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Songjun Wu March 8, 2017, 2:25 a.m. UTC | #1 
Hi Colin,

Thank you for your comment.
It is a bug, will be fixed in the next patch.

On 3/7/2017 22:30, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> The are only HIST_ENTRIES worth of entries in  hist_entry however the
> for-loop is iterating one too many times leasing to a read access off
> the end off the array ctrls->hist_entry.  Fix this by iterating by
> the correct number of times.
>
> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
> index b380a7d..7dacf8c 100644
> --- a/drivers/media/platform/atmel/atmel-isc.c
> +++ b/drivers/media/platform/atmel/atmel-isc.c
> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>  	regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>
>  	*hist_count = 0;
> -	for (i = 0; i <= HIST_ENTRIES; i++)
> +	for (i = 0; i < HIST_ENTRIES; i++)
>  		*hist_count += i * (*hist_entry++);
>  }
>
>
Hans Verkuil March 9, 2017, 10:57 a.m. UTC | #2 
Hi Songjun,

On 08/03/17 03:25, Wu, Songjun wrote:
> Hi Colin,
> 
> Thank you for your comment.
> It is a bug, will be fixed in the next patch.

Do you mean that you will provide a new patch for this? Is there anything
wrong with this patch? It seems reasonable to me.

Regards,

	Hans

> 
> On 3/7/2017 22:30, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>> for-loop is iterating one too many times leasing to a read access off
>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>> the correct number of times.
>>
>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>> index b380a7d..7dacf8c 100644
>> --- a/drivers/media/platform/atmel/atmel-isc.c
>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>
>>      *hist_count = 0;
>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>          *hist_count += i * (*hist_entry++);
>>  }
>>
>>
Walter Harms March 9, 2017, 11:49 a.m. UTC | #3 
Am 09.03.2017 11:57, schrieb Hans Verkuil:
> Hi Songjun,
> 
> On 08/03/17 03:25, Wu, Songjun wrote:
>> Hi Colin,
>>
>> Thank you for your comment.
>> It is a bug, will be fixed in the next patch.
> 
> Do you mean that you will provide a new patch for this? Is there anything
> wrong with this patch? It seems reasonable to me.
> 
> Regards,
> 
> 	Hans
> 



perhaps he will make it a bit more readable, like:

*hist_count += i * (*hist_entry++);

*hist_count += hist_entry[i]*i;


re,
 wh
>>
>> On 3/7/2017 22:30, Colin King wrote:
>>> From: Colin Ian King <colin.king@canonical.com>
>>>
>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>> for-loop is iterating one too many times leasing to a read access off
>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>> the correct number of times.
>>>
>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>
>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>> ---
>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>>> index b380a7d..7dacf8c 100644
>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>
>>>      *hist_count = 0;
>>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>>          *hist_count += i * (*hist_entry++);
>>>  }
>>>
>>>
> 




> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
Colin King March 9, 2017, 11:50 a.m. UTC | #4 
On 09/03/17 11:49, walter harms wrote:
> 
> 
> Am 09.03.2017 11:57, schrieb Hans Verkuil:
>> Hi Songjun,
>>
>> On 08/03/17 03:25, Wu, Songjun wrote:
>>> Hi Colin,
>>>
>>> Thank you for your comment.
>>> It is a bug, will be fixed in the next patch.
>>
>> Do you mean that you will provide a new patch for this? Is there anything
>> wrong with this patch? It seems reasonable to me.
>>
>> Regards,
>>
>> 	Hans
>>
> 
> 
> 
> perhaps he will make it a bit more readable, like:
> 
> *hist_count += i * (*hist_entry++);
> 
> *hist_count += hist_entry[i]*i;

As long as it gets fixed somehow, then I'm happy.

Colin
> 
> 
> re,
>  wh
>>>
>>> On 3/7/2017 22:30, Colin King wrote:
>>>> From: Colin Ian King <colin.king@canonical.com>
>>>>
>>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>>> for-loop is iterating one too many times leasing to a read access off
>>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>>> the correct number of times.
>>>>
>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>>
>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>>> ---
>>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>>>> index b380a7d..7dacf8c 100644
>>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>>
>>>>      *hist_count = 0;
>>>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>>>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>>>          *hist_count += i * (*hist_entry++);
>>>>  }
>>>>
>>>>
>>
> 
> 
> 
> 
>> --
>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
Songjun Wu March 13, 2017, 2:14 a.m. UTC | #5 
On 3/9/2017 19:50, Colin Ian King wrote:
> On 09/03/17 11:49, walter harms wrote:
>>
>>
>> Am 09.03.2017 11:57, schrieb Hans Verkuil:
>>> Hi Songjun,
>>>
>>> On 08/03/17 03:25, Wu, Songjun wrote:
>>>> Hi Colin,
>>>>
>>>> Thank you for your comment.
>>>> It is a bug, will be fixed in the next patch.
>>>
>>> Do you mean that you will provide a new patch for this? Is there anything
>>> wrong with this patch? It seems reasonable to me.
>>>
>>> Regards,
>>>
>>> 	Hans
>>>
>>
>>
>>
>> perhaps he will make it a bit more readable, like:
>>
>> *hist_count += i * (*hist_entry++);
>>
>> *hist_count += hist_entry[i]*i;
>
> As long as it gets fixed somehow, then I'm happy.
>
You suggestion is very good, I will modify it like this.
Thank you.

> Colin
>>
>>
>> re,
>>  wh
>>>>
>>>> On 3/7/2017 22:30, Colin King wrote:
>>>>> From: Colin Ian King <colin.king@canonical.com>
>>>>>
>>>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>>>> for-loop is iterating one too many times leasing to a read access off
>>>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>>>> the correct number of times.
>>>>>
>>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>>>
>>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>>>> ---
>>>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>>>>> index b380a7d..7dacf8c 100644
>>>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>>>
>>>>>      *hist_count = 0;
>>>>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>>>>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>>>>          *hist_count += i * (*hist_entry++);
>>>>>  }
>>>>>
>>>>>
>>>
>>
>>
>>
>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>
Songjun Wu March 13, 2017, 5:53 a.m. UTC | #6 
On 3/9/2017 18:57, Hans Verkuil wrote:
> Hi Songjun,
>
> On 08/03/17 03:25, Wu, Songjun wrote:
>> Hi Colin,
>>
>> Thank you for your comment.
>> It is a bug, will be fixed in the next patch.
>
> Do you mean that you will provide a new patch for this? Is there anything
> wrong with this patch? It seems reasonable to me.
>
Hi Hans,

I see this patch is merged in git://linuxtv.org/media_tree.git.
So I do not need submit isc-pipeline-v3 patch, just submit the patches, 
based on the current master branch?

> Regards,
>
> 	Hans
>
>>
>> On 3/7/2017 22:30, Colin King wrote:
>>> From: Colin Ian King <colin.king@canonical.com>
>>>
>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>> for-loop is iterating one too many times leasing to a read access off
>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>> the correct number of times.
>>>
>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>
>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>> ---
>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>>> index b380a7d..7dacf8c 100644
>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>
>>>      *hist_count = 0;
>>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>>          *hist_count += i * (*hist_entry++);
>>>  }
>>>
>>>
>
Hans Verkuil March 13, 2017, 9:25 a.m. UTC | #7 
On 03/13/2017 06:53 AM, Wu, Songjun wrote:
> 
> 
> On 3/9/2017 18:57, Hans Verkuil wrote:
>> Hi Songjun,
>>
>> On 08/03/17 03:25, Wu, Songjun wrote:
>>> Hi Colin,
>>>
>>> Thank you for your comment.
>>> It is a bug, will be fixed in the next patch.
>>
>> Do you mean that you will provide a new patch for this? Is there anything
>> wrong with this patch? It seems reasonable to me.
>>
> Hi Hans,
> 
> I see this patch is merged in git://linuxtv.org/media_tree.git.
> So I do not need submit isc-pipeline-v3 patch, just submit the patches, 
> based on the current master branch?

Huh? Where do you see that this patch is merged? I don't see it in the media_tree master
branch.

Regards,

	Hans

> 
>> Regards,
>>
>> 	Hans
>>
>>>
>>> On 3/7/2017 22:30, Colin King wrote:
>>>> From: Colin Ian King <colin.king@canonical.com>
>>>>
>>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>>> for-loop is iterating one too many times leasing to a read access off
>>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>>> the correct number of times.
>>>>
>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>>
>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>>> ---
>>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>>>> index b380a7d..7dacf8c 100644
>>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>>
>>>>      *hist_count = 0;
>>>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>>>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>>>          *hist_count += i * (*hist_entry++);
>>>>  }
>>>>
>>>>
>>
Songjun Wu March 13, 2017, 9:32 a.m. UTC | #8 
On 3/13/2017 17:25, Hans Verkuil wrote:
> On 03/13/2017 06:53 AM, Wu, Songjun wrote:
>>
>>
>> On 3/9/2017 18:57, Hans Verkuil wrote:
>>> Hi Songjun,
>>>
>>> On 08/03/17 03:25, Wu, Songjun wrote:
>>>> Hi Colin,
>>>>
>>>> Thank you for your comment.
>>>> It is a bug, will be fixed in the next patch.
>>>
>>> Do you mean that you will provide a new patch for this? Is there anything
>>> wrong with this patch? It seems reasonable to me.
>>>
>> Hi Hans,
>>
>> I see this patch is merged in git://linuxtv.org/media_tree.git.
>> So I do not need submit isc-pipeline-v3 patch, just submit the patches,
>> based on the current master branch?
>
> Huh? Where do you see that this patch is merged? I don't see it in the media_tree master
> branch.
>
Hi Hans,

I see this patch on the master branch in media_tree.
https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c

> Regards,
>
> 	Hans
>
>>
>>> Regards,
>>>
>>> 	Hans
>>>
>>>>
>>>> On 3/7/2017 22:30, Colin King wrote:
>>>>> From: Colin Ian King <colin.king@canonical.com>
>>>>>
>>>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>>>> for-loop is iterating one too many times leasing to a read access off
>>>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>>>> the correct number of times.
>>>>>
>>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>>>
>>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>>>> ---
>>>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>>>>> index b380a7d..7dacf8c 100644
>>>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>>>
>>>>>      *hist_count = 0;
>>>>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>>>>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>>>>          *hist_count += i * (*hist_entry++);
>>>>>  }
>>>>>
>>>>>
>>>
>
Hans Verkuil March 13, 2017, 10:23 a.m. UTC | #9 
On 03/13/2017 10:32 AM, Wu, Songjun wrote:
> 
> 
> On 3/13/2017 17:25, Hans Verkuil wrote:
>> On 03/13/2017 06:53 AM, Wu, Songjun wrote:
>>>
>>>
>>> On 3/9/2017 18:57, Hans Verkuil wrote:
>>>> Hi Songjun,
>>>>
>>>> On 08/03/17 03:25, Wu, Songjun wrote:
>>>>> Hi Colin,
>>>>>
>>>>> Thank you for your comment.
>>>>> It is a bug, will be fixed in the next patch.
>>>>
>>>> Do you mean that you will provide a new patch for this? Is there anything
>>>> wrong with this patch? It seems reasonable to me.
>>>>
>>> Hi Hans,
>>>
>>> I see this patch is merged in git://linuxtv.org/media_tree.git.
>>> So I do not need submit isc-pipeline-v3 patch, just submit the patches,
>>> based on the current master branch?
>>
>> Huh? Where do you see that this patch is merged? I don't see it in the media_tree master
>> branch.
>>
> Hi Hans,
> 
> I see this patch on the master branch in media_tree.
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c

???

That's a link to the source, not a patch.

And that source still does <= HIST_ENTRIES.

Still confused,

	Hans

> 
>> Regards,
>>
>> 	Hans
>>
>>>
>>>> Regards,
>>>>
>>>> 	Hans
>>>>
>>>>>
>>>>> On 3/7/2017 22:30, Colin King wrote:
>>>>>> From: Colin Ian King <colin.king@canonical.com>
>>>>>>
>>>>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>>>>> for-loop is iterating one too many times leasing to a read access off
>>>>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>>>>> the correct number of times.
>>>>>>
>>>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>>>>
>>>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>>>>> ---
>>>>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
>>>>>> index b380a7d..7dacf8c 100644
>>>>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>>>>      regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>>>>
>>>>>>      *hist_count = 0;
>>>>>> -    for (i = 0; i <= HIST_ENTRIES; i++)
>>>>>> +    for (i = 0; i < HIST_ENTRIES; i++)
>>>>>>          *hist_count += i * (*hist_entry++);
>>>>>>  }
>>>>>>
>>>>>>
>>>>
>>
diff mbox

Patch

diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c
index b380a7d..7dacf8c 100644
--- a/drivers/media/platform/atmel/atmel-isc.c
+++ b/drivers/media/platform/atmel/atmel-isc.c
@@ -1298,7 +1298,7 @@  static void isc_hist_count(struct isc_device *isc)
 	regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
 
 	*hist_count = 0;
-	for (i = 0; i <= HIST_ENTRIES; i++)
+	for (i = 0; i < HIST_ENTRIES; i++)
 		*hist_count += i * (*hist_entry++);
 }