Message ID | 20170307143047.30082-1-colin.king@canonical.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Hi Colin, Thank you for your comment. It is a bug, will be fixed in the next patch. On 3/7/2017 22:30, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > The are only HIST_ENTRIES worth of entries in hist_entry however the > for-loop is iterating one too many times leasing to a read access off > the end off the array ctrls->hist_entry. Fix this by iterating by > the correct number of times. > > Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") > > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > drivers/media/platform/atmel/atmel-isc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c > index b380a7d..7dacf8c 100644 > --- a/drivers/media/platform/atmel/atmel-isc.c > +++ b/drivers/media/platform/atmel/atmel-isc.c > @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) > regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); > > *hist_count = 0; > - for (i = 0; i <= HIST_ENTRIES; i++) > + for (i = 0; i < HIST_ENTRIES; i++) > *hist_count += i * (*hist_entry++); > } > >
Hi Songjun, On 08/03/17 03:25, Wu, Songjun wrote: > Hi Colin, > > Thank you for your comment. > It is a bug, will be fixed in the next patch. Do you mean that you will provide a new patch for this? Is there anything wrong with this patch? It seems reasonable to me. Regards, Hans > > On 3/7/2017 22:30, Colin King wrote: >> From: Colin Ian King <colin.king@canonical.com> >> >> The are only HIST_ENTRIES worth of entries in hist_entry however the >> for-loop is iterating one too many times leasing to a read access off >> the end off the array ctrls->hist_entry. Fix this by iterating by >> the correct number of times. >> >> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >> >> Signed-off-by: Colin Ian King <colin.king@canonical.com> >> --- >> drivers/media/platform/atmel/atmel-isc.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >> index b380a7d..7dacf8c 100644 >> --- a/drivers/media/platform/atmel/atmel-isc.c >> +++ b/drivers/media/platform/atmel/atmel-isc.c >> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >> >> *hist_count = 0; >> - for (i = 0; i <= HIST_ENTRIES; i++) >> + for (i = 0; i < HIST_ENTRIES; i++) >> *hist_count += i * (*hist_entry++); >> } >> >>
Am 09.03.2017 11:57, schrieb Hans Verkuil: > Hi Songjun, > > On 08/03/17 03:25, Wu, Songjun wrote: >> Hi Colin, >> >> Thank you for your comment. >> It is a bug, will be fixed in the next patch. > > Do you mean that you will provide a new patch for this? Is there anything > wrong with this patch? It seems reasonable to me. > > Regards, > > Hans > perhaps he will make it a bit more readable, like: *hist_count += i * (*hist_entry++); *hist_count += hist_entry[i]*i; re, wh >> >> On 3/7/2017 22:30, Colin King wrote: >>> From: Colin Ian King <colin.king@canonical.com> >>> >>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>> for-loop is iterating one too many times leasing to a read access off >>> the end off the array ctrls->hist_entry. Fix this by iterating by >>> the correct number of times. >>> >>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>> >>> Signed-off-by: Colin Ian King <colin.king@canonical.com> >>> --- >>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >>> index b380a7d..7dacf8c 100644 >>> --- a/drivers/media/platform/atmel/atmel-isc.c >>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>> >>> *hist_count = 0; >>> - for (i = 0; i <= HIST_ENTRIES; i++) >>> + for (i = 0; i < HIST_ENTRIES; i++) >>> *hist_count += i * (*hist_entry++); >>> } >>> >>> > > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
On 09/03/17 11:49, walter harms wrote: > > > Am 09.03.2017 11:57, schrieb Hans Verkuil: >> Hi Songjun, >> >> On 08/03/17 03:25, Wu, Songjun wrote: >>> Hi Colin, >>> >>> Thank you for your comment. >>> It is a bug, will be fixed in the next patch. >> >> Do you mean that you will provide a new patch for this? Is there anything >> wrong with this patch? It seems reasonable to me. >> >> Regards, >> >> Hans >> > > > > perhaps he will make it a bit more readable, like: > > *hist_count += i * (*hist_entry++); > > *hist_count += hist_entry[i]*i; As long as it gets fixed somehow, then I'm happy. Colin > > > re, > wh >>> >>> On 3/7/2017 22:30, Colin King wrote: >>>> From: Colin Ian King <colin.king@canonical.com> >>>> >>>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>>> for-loop is iterating one too many times leasing to a read access off >>>> the end off the array ctrls->hist_entry. Fix this by iterating by >>>> the correct number of times. >>>> >>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>>> >>>> Signed-off-by: Colin Ian King <colin.king@canonical.com> >>>> --- >>>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >>>> index b380a7d..7dacf8c 100644 >>>> --- a/drivers/media/platform/atmel/atmel-isc.c >>>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>>> >>>> *hist_count = 0; >>>> - for (i = 0; i <= HIST_ENTRIES; i++) >>>> + for (i = 0; i < HIST_ENTRIES; i++) >>>> *hist_count += i * (*hist_entry++); >>>> } >>>> >>>> >> > > > > >> -- >> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >>
On 3/9/2017 19:50, Colin Ian King wrote: > On 09/03/17 11:49, walter harms wrote: >> >> >> Am 09.03.2017 11:57, schrieb Hans Verkuil: >>> Hi Songjun, >>> >>> On 08/03/17 03:25, Wu, Songjun wrote: >>>> Hi Colin, >>>> >>>> Thank you for your comment. >>>> It is a bug, will be fixed in the next patch. >>> >>> Do you mean that you will provide a new patch for this? Is there anything >>> wrong with this patch? It seems reasonable to me. >>> >>> Regards, >>> >>> Hans >>> >> >> >> >> perhaps he will make it a bit more readable, like: >> >> *hist_count += i * (*hist_entry++); >> >> *hist_count += hist_entry[i]*i; > > As long as it gets fixed somehow, then I'm happy. > You suggestion is very good, I will modify it like this. Thank you. > Colin >> >> >> re, >> wh >>>> >>>> On 3/7/2017 22:30, Colin King wrote: >>>>> From: Colin Ian King <colin.king@canonical.com> >>>>> >>>>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>>>> for-loop is iterating one too many times leasing to a read access off >>>>> the end off the array ctrls->hist_entry. Fix this by iterating by >>>>> the correct number of times. >>>>> >>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>>>> >>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com> >>>>> --- >>>>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>> >>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >>>>> index b380a7d..7dacf8c 100644 >>>>> --- a/drivers/media/platform/atmel/atmel-isc.c >>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>>>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>>>> >>>>> *hist_count = 0; >>>>> - for (i = 0; i <= HIST_ENTRIES; i++) >>>>> + for (i = 0; i < HIST_ENTRIES; i++) >>>>> *hist_count += i * (*hist_entry++); >>>>> } >>>>> >>>>> >>> >> >> >> >> >>> -- >>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >
On 3/9/2017 18:57, Hans Verkuil wrote: > Hi Songjun, > > On 08/03/17 03:25, Wu, Songjun wrote: >> Hi Colin, >> >> Thank you for your comment. >> It is a bug, will be fixed in the next patch. > > Do you mean that you will provide a new patch for this? Is there anything > wrong with this patch? It seems reasonable to me. > Hi Hans, I see this patch is merged in git://linuxtv.org/media_tree.git. So I do not need submit isc-pipeline-v3 patch, just submit the patches, based on the current master branch? > Regards, > > Hans > >> >> On 3/7/2017 22:30, Colin King wrote: >>> From: Colin Ian King <colin.king@canonical.com> >>> >>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>> for-loop is iterating one too many times leasing to a read access off >>> the end off the array ctrls->hist_entry. Fix this by iterating by >>> the correct number of times. >>> >>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>> >>> Signed-off-by: Colin Ian King <colin.king@canonical.com> >>> --- >>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >>> index b380a7d..7dacf8c 100644 >>> --- a/drivers/media/platform/atmel/atmel-isc.c >>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>> >>> *hist_count = 0; >>> - for (i = 0; i <= HIST_ENTRIES; i++) >>> + for (i = 0; i < HIST_ENTRIES; i++) >>> *hist_count += i * (*hist_entry++); >>> } >>> >>> >
On 03/13/2017 06:53 AM, Wu, Songjun wrote: > > > On 3/9/2017 18:57, Hans Verkuil wrote: >> Hi Songjun, >> >> On 08/03/17 03:25, Wu, Songjun wrote: >>> Hi Colin, >>> >>> Thank you for your comment. >>> It is a bug, will be fixed in the next patch. >> >> Do you mean that you will provide a new patch for this? Is there anything >> wrong with this patch? It seems reasonable to me. >> > Hi Hans, > > I see this patch is merged in git://linuxtv.org/media_tree.git. > So I do not need submit isc-pipeline-v3 patch, just submit the patches, > based on the current master branch? Huh? Where do you see that this patch is merged? I don't see it in the media_tree master branch. Regards, Hans > >> Regards, >> >> Hans >> >>> >>> On 3/7/2017 22:30, Colin King wrote: >>>> From: Colin Ian King <colin.king@canonical.com> >>>> >>>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>>> for-loop is iterating one too many times leasing to a read access off >>>> the end off the array ctrls->hist_entry. Fix this by iterating by >>>> the correct number of times. >>>> >>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>>> >>>> Signed-off-by: Colin Ian King <colin.king@canonical.com> >>>> --- >>>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >>>> index b380a7d..7dacf8c 100644 >>>> --- a/drivers/media/platform/atmel/atmel-isc.c >>>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>>> >>>> *hist_count = 0; >>>> - for (i = 0; i <= HIST_ENTRIES; i++) >>>> + for (i = 0; i < HIST_ENTRIES; i++) >>>> *hist_count += i * (*hist_entry++); >>>> } >>>> >>>> >>
On 3/13/2017 17:25, Hans Verkuil wrote: > On 03/13/2017 06:53 AM, Wu, Songjun wrote: >> >> >> On 3/9/2017 18:57, Hans Verkuil wrote: >>> Hi Songjun, >>> >>> On 08/03/17 03:25, Wu, Songjun wrote: >>>> Hi Colin, >>>> >>>> Thank you for your comment. >>>> It is a bug, will be fixed in the next patch. >>> >>> Do you mean that you will provide a new patch for this? Is there anything >>> wrong with this patch? It seems reasonable to me. >>> >> Hi Hans, >> >> I see this patch is merged in git://linuxtv.org/media_tree.git. >> So I do not need submit isc-pipeline-v3 patch, just submit the patches, >> based on the current master branch? > > Huh? Where do you see that this patch is merged? I don't see it in the media_tree master > branch. > Hi Hans, I see this patch on the master branch in media_tree. https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c > Regards, > > Hans > >> >>> Regards, >>> >>> Hans >>> >>>> >>>> On 3/7/2017 22:30, Colin King wrote: >>>>> From: Colin Ian King <colin.king@canonical.com> >>>>> >>>>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>>>> for-loop is iterating one too many times leasing to a read access off >>>>> the end off the array ctrls->hist_entry. Fix this by iterating by >>>>> the correct number of times. >>>>> >>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>>>> >>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com> >>>>> --- >>>>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>> >>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >>>>> index b380a7d..7dacf8c 100644 >>>>> --- a/drivers/media/platform/atmel/atmel-isc.c >>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>>>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>>>> >>>>> *hist_count = 0; >>>>> - for (i = 0; i <= HIST_ENTRIES; i++) >>>>> + for (i = 0; i < HIST_ENTRIES; i++) >>>>> *hist_count += i * (*hist_entry++); >>>>> } >>>>> >>>>> >>> >
On 03/13/2017 10:32 AM, Wu, Songjun wrote: > > > On 3/13/2017 17:25, Hans Verkuil wrote: >> On 03/13/2017 06:53 AM, Wu, Songjun wrote: >>> >>> >>> On 3/9/2017 18:57, Hans Verkuil wrote: >>>> Hi Songjun, >>>> >>>> On 08/03/17 03:25, Wu, Songjun wrote: >>>>> Hi Colin, >>>>> >>>>> Thank you for your comment. >>>>> It is a bug, will be fixed in the next patch. >>>> >>>> Do you mean that you will provide a new patch for this? Is there anything >>>> wrong with this patch? It seems reasonable to me. >>>> >>> Hi Hans, >>> >>> I see this patch is merged in git://linuxtv.org/media_tree.git. >>> So I do not need submit isc-pipeline-v3 patch, just submit the patches, >>> based on the current master branch? >> >> Huh? Where do you see that this patch is merged? I don't see it in the media_tree master >> branch. >> > Hi Hans, > > I see this patch on the master branch in media_tree. > https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c ??? That's a link to the source, not a patch. And that source still does <= HIST_ENTRIES. Still confused, Hans > >> Regards, >> >> Hans >> >>> >>>> Regards, >>>> >>>> Hans >>>> >>>>> >>>>> On 3/7/2017 22:30, Colin King wrote: >>>>>> From: Colin Ian King <colin.king@canonical.com> >>>>>> >>>>>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>>>>> for-loop is iterating one too many times leasing to a read access off >>>>>> the end off the array ctrls->hist_entry. Fix this by iterating by >>>>>> the correct number of times. >>>>>> >>>>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>>>>> >>>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com> >>>>>> --- >>>>>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>>> >>>>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c >>>>>> index b380a7d..7dacf8c 100644 >>>>>> --- a/drivers/media/platform/atmel/atmel-isc.c >>>>>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>>>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>>>>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>>>>> >>>>>> *hist_count = 0; >>>>>> - for (i = 0; i <= HIST_ENTRIES; i++) >>>>>> + for (i = 0; i < HIST_ENTRIES; i++) >>>>>> *hist_count += i * (*hist_entry++); >>>>>> } >>>>>> >>>>>> >>>> >>
diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; - for (i = 0; i <= HIST_ENTRIES; i++) + for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); }