| Message ID | 20240903115823.30647-1-adiupina@astralinux.ru (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Krzysztof Wilczyński |
| Headers | show |
| Series | PCI: kirin: Fix buffer overflow | expand |
Hello, By the way, this would be v2, technically, but not to worry. > In kirin_pcie_parse_port() pcie->num_slots is compared to > pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix > condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move > pcie->num_slots increment lower to avoid out-of-bounds > array access. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. Applied to controller/kirin, thank you! [1/1] PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() https://git.kernel.org/pci/pci/c/c500a86693a1 Krzysztof
diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c index d5523f302102..deab1e653b9a 100644 --- a/drivers/pci/controller/dwc/pcie-kirin.c +++ b/drivers/pci/controller/dwc/pcie-kirin.c @@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie, if (pcie->gpio_id_reset[i] < 0) continue; - pcie->num_slots++; - if (pcie->num_slots > MAX_PCI_SLOTS) { + if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) { dev_err(dev, "Too many PCI slots!\n"); ret = -EINVAL; goto put_node; } + pcie->num_slots++; ret = of_pci_get_devfn(child); if (ret < 0) {
In kirin_pcie_parse_port() pcie->num_slots is compared to pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move pcie->num_slots increment lower to avoid out-of-bounds array access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge") Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru> Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> --- drivers/pci/controller/dwc/pcie-kirin.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)