[v2] PCI: kirin: Fix buffer overflow

Message ID	20240719122153.1987-1-adiupina@astralinux.ru (mailing list archive)
State	Superseded
Headers	show Received: from mx.astralinux.ru (mx.astralinux.ru [89.232.161.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5EA5813BC12; Fri, 19 Jul 2024 12:22:41 +0000 (UTC) From: Alexandra Diupina <adiupina@astralinux.ru> To: Xiaowei Song <songxiaowei@hisilicon.com> Cc: Alexandra Diupina <adiupina@astralinux.ru>, Binghui Wang <wangbinghui@hisilicon.com>, Lorenzo Pieralisi <lpieralisi@kernel.org>, =?utf-8?q?Krzysztof_Wilczy=C5=84?= =?utf-8?q?ski?= <kw@linux.com>, Rob Herring <robh@kernel.org>, Bjorn Helgaas <bhelgaas@google.com>, Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH v2] PCI: kirin: Fix buffer overflow Date: Fri, 19 Jul 2024 15:21:53 +0300 Message-Id: <20240719122153.1987-1-adiupina@astralinux.ru> In-Reply-To: <20240712110756.3abe1806@foz.lan> References: Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit SE: 11.1.12.2210241838, Core engine: 7.00.65.05230, Virus records: 12057070, Updated: 2024-Jul-19 10:47:19 UTC]
Series	[v2] PCI: kirin: Fix buffer overflow \| expand [v2] PCI: kirin: Fix buffer overflow

Message ID

20240719122153.1987-1-adiupina@astralinux.ru (mailing list archive)

State

Superseded

Headers

From: Alexandra Diupina <adiupina@astralinux.ru>
To: Xiaowei Song <songxiaowei@hisilicon.com>
Cc: Alexandra Diupina <adiupina@astralinux.ru>,
 Binghui Wang <wangbinghui@hisilicon.com>,
 Lorenzo Pieralisi <lpieralisi@kernel.org>, =?utf-8?q?Krzysztof_Wilczy=C5=84?=
	=?utf-8?q?ski?= <kw@linux.com>, Rob Herring <robh@kernel.org>,
 Bjorn Helgaas <bhelgaas@google.com>,
 Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, linux-pci@vger.kernel.org,
 linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Subject: [PATCH v2] PCI: kirin: Fix buffer overflow
Date: Fri, 19 Jul 2024 15:21:53 +0300
Message-Id: <20240719122153.1987-1-adiupina@astralinux.ru>
In-Reply-To: <20240712110756.3abe1806@foz.lan>
References: 
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[v2] PCI: kirin: Fix buffer overflow | expand

Commit Message

Alexandra Diupina July 19, 2024, 12:21 p.m. UTC

In kirin_pcie_parse_port() pcie->num_slots is compared to
pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
pcie->num_slots increment lower to avoid out-of-bounds
array access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v2: some changes
 drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Alexandra Diupina Sept. 2, 2024, 2:14 p.m. UTC | #1

just a friendly reminder


19/07/24 15:21, Alexandra Diupina пишет:
> In kirin_pcie_parse_port() pcie->num_slots is compared to
> pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
> condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
> pcie->num_slots increment lower to avoid out-of-bounds
> array access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
> ---
> v2: some changes
>   drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
> index d5523f302102..deab1e653b9a 100644
> --- a/drivers/pci/controller/dwc/pcie-kirin.c
> +++ b/drivers/pci/controller/dwc/pcie-kirin.c
> @@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
>   			if (pcie->gpio_id_reset[i] < 0)
>   				continue;
>   
> -			pcie->num_slots++;
> -			if (pcie->num_slots > MAX_PCI_SLOTS) {
> +			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
>   				dev_err(dev, "Too many PCI slots!\n");
>   				ret = -EINVAL;
>   				goto put_node;
>   			}
> +			pcie->num_slots++;
>   
>   			ret = of_pci_get_devfn(child);
>   			if (ret < 0) {

Krzysztof Wilczyński Sept. 2, 2024, 5:17 p.m. UTC | #2

Hello,

> just a friendly reminder

Would you mind sending a v2 as a standalone patch?  So that I can pick it
up via Patchwork and such.  I would be much obliged.

I wonder if Mauro would be willing to have another review of the new
iteration of the fix.  Just something that would be nice to have his
tag added.

	Krzysztof

Mauro Carvalho Chehab Sept. 2, 2024, 6:29 p.m. UTC | #3

Em Fri, 19 Jul 2024 15:21:53 +0300
Alexandra Diupina <adiupina@astralinux.ru> escreveu:

> In kirin_pcie_parse_port() pcie->num_slots is compared to
> pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
> condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
> pcie->num_slots increment lower to avoid out-of-bounds
> array access.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>

LGTM.

Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

> ---
> v2: some changes
>  drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
> index d5523f302102..deab1e653b9a 100644
> --- a/drivers/pci/controller/dwc/pcie-kirin.c
> +++ b/drivers/pci/controller/dwc/pcie-kirin.c
> @@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
>  			if (pcie->gpio_id_reset[i] < 0)
>  				continue;
>  
> -			pcie->num_slots++;
> -			if (pcie->num_slots > MAX_PCI_SLOTS) {
> +			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
>  				dev_err(dev, "Too many PCI slots!\n");
>  				ret = -EINVAL;
>  				goto put_node;
>  			}
> +			pcie->num_slots++;
>  
>  			ret = of_pci_get_devfn(child);
>  			if (ret < 0) {



Thanks,
Mauro

diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
index d5523f302102..deab1e653b9a 100644
--- a/drivers/pci/controller/dwc/pcie-kirin.c
+++ b/drivers/pci/controller/dwc/pcie-kirin.c
@@ -412,12 +412,12 @@  static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
 			if (pcie->gpio_id_reset[i] < 0)
 				continue;
 
-			pcie->num_slots++;
-			if (pcie->num_slots > MAX_PCI_SLOTS) {
+			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
 				dev_err(dev, "Too many PCI slots!\n");
 				ret = -EINVAL;
 				goto put_node;
 			}
+			pcie->num_slots++;
 
 			ret = of_pci_get_devfn(child);
 			if (ret < 0) {