From patchwork Wed Oct 31 01:50:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masayoshi Mizuma X-Patchwork-Id: 10661995 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C20A113BF for ; Wed, 31 Oct 2018 01:51:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD9252A8C3 for ; Wed, 31 Oct 2018 01:51:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9E5212A83A; Wed, 31 Oct 2018 01:51:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 494462A83A for ; Wed, 31 Oct 2018 01:51:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 3333021184E8E; Tue, 30 Oct 2018 18:51:28 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::942; helo=mail-ua1-x942.google.com; envelope-from=msys.mizuma@gmail.com; receiver=linux-nvdimm@lists.01.org Received: from mail-ua1-x942.google.com (mail-ua1-x942.google.com [IPv6:2607:f8b0:4864:20::942]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 10E1D21BADAB6 for ; Tue, 30 Oct 2018 18:51:25 -0700 (PDT) Received: by mail-ua1-x942.google.com with SMTP id o17so5312723uad.8 for ; Tue, 30 Oct 2018 18:51:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=hOR0jzLieh67rRRizaajjRihOVaYEDAaAfkuoneSjak=; b=F8FysmIoZufO8F3+4++sQ0WQeLFOoIh63y3zcttxQSz5Q8zRlHqNOWksS3MsjZ6sZ1 otfbPc5tG2KuFat4LxSOIUZ7X9391m1vrNgw2TZFpkEheNoWDaI06x7O9Y4ei4UhuvAN pb8EGvDewXWD23qOD1vMLx6TCZWUy6alno464xegVyDPjq9ZLU52Gc3Esz7hOnCMYBWM vwrlgtZoSwWhEKyZJXj8O1Jg4iE+NLTj6YdIcBWQ47V8dBJY+N1dDEZQ95BDCD6BdSDD rDPDF5Jt06WPrCZMbXG+WipRuCJpd+MeU4XfkcPPpThxcvYO+kDsWJreh8oZnQXKCbLY vkIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=hOR0jzLieh67rRRizaajjRihOVaYEDAaAfkuoneSjak=; b=IyD5yjIG9kEsnKe75wACCJrzYdz0uji2tfXPmtySBoJuX/o1ZdCpN8TJ+9gTHdR1Wd 2RIxPBU980GmDTK90DZ4nyP45ooykTtmWvSWQe7T8DMwP3YmmOJZGm6uHII1tZX2Ltqx bVWrIOj/KkpUs30gvxTQabumCkbuKW/JAg2xrOtT4u/bKVFyMgUlh8KO38P5ezrceFYB s4cyEiOh0a/ZQvQKBdchJzWJ8/JXNNPe2MT5qU5xB/MJFv7rAhyAuonlvolmUcQtQBU4 3m/doJoZo7WQLX96WSmmaX6jlZjh1AL2JsxSxrtzBajw6AO4TkZswPR+5RNIOWGvHr30 wzNw== X-Gm-Message-State: AGRZ1gKzZ41OK5E9K3tc9Xnp1aTFEH/NthSGADXgRLM5NpSoddqDBSP2 lCFKV/D3eoQC0HiNzvZGxg== X-Google-Smtp-Source: AJdET5d51/wRO+vErd7SntE+76tb3wMb3eZS5npLLLzcmJaNRuSztAp912upf+MLJZuqS9n+lSPgww== X-Received: by 2002:a9f:35a2:: with SMTP id t31mr505270uad.98.1540950684900; Tue, 30 Oct 2018 18:51:24 -0700 (PDT) Received: from gabell.hsd1.ma.comcast.net ([2601:18f:600:d880:cc70:4ea3:349c:880a]) by smtp.gmail.com with ESMTPSA id y82-v6sm3571920vkd.13.2018.10.30.18.51.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Oct 2018 18:51:24 -0700 (PDT) From: Masayoshi Mizuma To: Dan Williams , linux-nvdimm Subject: [PATCH v2] tools/testing/nvdimm: Fix the array size for dimm devices. Date: Tue, 30 Oct 2018 21:50:25 -0400 Message-Id: <20181031015025.6406-1-msys.mizuma@gmail.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Masayoshi Mizuma MIME-Version: 1.0 Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP From: Masayoshi Mizuma KASAN reports following global out of bounds access while nfit_test is being loaded. The out of bound access happens the following reference to dimm_fail_cmd_flags[dimm]. 'dimm' is over than the index value, NUM_DCR (==5). static int override_return_code(int dimm, unsigned int func, int rc) { if ((1 << func) & dimm_fail_cmd_flags[dimm]) { dimm_fail_cmd_flags[] definition: static unsigned long dimm_fail_cmd_flags[NUM_DCR]; 'dimm' is the return value of get_dimm(), and get_dimm() returns the index of handle[] array. The handle[] has 7 index. Let's use ARRAY_SIZE(handle) as the array size. KASAN report: ================================================================== BUG: KASAN: global-out-of-bounds in nfit_test_ctl+0x47bb/0x55b0 [nfit_test] Read of size 8 at addr ffffffffc10cbbe8 by task kworker/u41:0/8 ... Call Trace: dump_stack+0xea/0x1b0 ? dump_stack_print_info.cold.0+0x1b/0x1b ? kmsg_dump_rewind_nolock+0xd9/0xd9 print_address_description+0x65/0x22e ? nfit_test_ctl+0x47bb/0x55b0 [nfit_test] kasan_report.cold.6+0x92/0x1a6 nfit_test_ctl+0x47bb/0x55b0 [nfit_test] ... The buggy address belongs to the variable: dimm_fail_cmd_flags+0x28/0xffffffffffffa440 [nfit_test] ================================================================== Signed-off-by: Masayoshi Mizuma --- tools/testing/nvdimm/test/nfit.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c index 9527d47a1070..01ec04bf91b5 100644 --- a/tools/testing/nvdimm/test/nfit.c +++ b/tools/testing/nvdimm/test/nfit.c @@ -140,8 +140,8 @@ static u32 handle[] = { [6] = NFIT_DIMM_HANDLE(1, 0, 0, 0, 1), }; -static unsigned long dimm_fail_cmd_flags[NUM_DCR]; -static int dimm_fail_cmd_code[NUM_DCR]; +static unsigned long dimm_fail_cmd_flags[ARRAY_SIZE(handle)]; +static int dimm_fail_cmd_code[ARRAY_SIZE(handle)]; static const struct nd_intel_smart smart_def = { .flags = ND_INTEL_SMART_HEALTH_VALID @@ -205,7 +205,7 @@ struct nfit_test { unsigned long deadline; spinlock_t lock; } ars_state; - struct device *dimm_dev[NUM_DCR]; + struct device *dimm_dev[ARRAY_SIZE(handle)]; struct nd_intel_smart *smart; struct nd_intel_smart_threshold *smart_threshold; struct badrange badrange; @@ -2680,7 +2680,7 @@ static int nfit_test_probe(struct platform_device *pdev) u32 nfit_handle = __to_nfit_memdev(nfit_mem)->device_handle; int i; - for (i = 0; i < NUM_DCR; i++) + for (i = 0; i < ARRAY_SIZE(handle); i++) if (nfit_handle == handle[i]) dev_set_drvdata(nfit_test->dimm_dev[i], nfit_mem);