From patchwork Tue Jan 16 15:30:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 10167449
Return-Path: <linux-samsung-soc-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E5BC1600CA for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Tue, 16 Jan 2018 15:31:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6B9B228C8
	for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Tue, 16 Jan 2018 15:31:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CAE6A28068; Tue, 16 Jan 2018 15:31:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41AD2228C8
	for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Tue, 16 Jan 2018 15:31:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751205AbeAPPbS (ORCPT
	<rfc822;patchwork-linux-samsung-soc@patchwork.kernel.org>);
	Tue, 16 Jan 2018 10:31:18 -0500
Received: from mout.kundenserver.de ([212.227.126.130]:50421 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751145AbeAPPbR (ORCPT
	<rfc822;linux-samsung-soc@vger.kernel.org>);
	Tue, 16 Jan 2018 10:31:17 -0500
Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de
	(mreue006 [212.227.15.129]) with ESMTPA (Nemesis) id
	0MDaAr-1ecrIc0jEb-00GsKZ; Tue, 16 Jan 2018 16:31:07 +0100
From: Arnd Bergmann <arnd@arndb.de>
To: Sylwester Nawrocki <sylvester.nawrocki@gmail.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
	Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Sakari Ailus <sakari.ailus@linux.intel.com>,
	linux-media@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] [v2] media: s3c-camif: fix out-of-bounds array access
Date: Tue, 16 Jan 2018 16:30:46 +0100
Message-Id: <20180116153105.3523235-1-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
X-Provags-ID: V03:K0:KwEd3ocnORFZ1KMYIsNg8hJg3HwDQ5cevOCdNr6Vp6JiZq+F0Wi
	RnMZdxX77l9BjXhWbeR26uO1x9GXcKcrTCkY49/Wf4mi+5AtqteaGshTim2JT1SDGrEKDDL
	DpIL5ifgNFblGwaGf9I4sHKLXa+Y1LuzGM6bGdoGQ5pomRWb4nGE7dHxG2FzYOS9GdOh6tG
	uZM2WNgggpKpEtbyoAKOA==
X-UI-Out-Filterresults: notjunk:1; V01:K0:UFFoG5+3Hps=:TFB1yibS1bcQanhuA1g6Zc
	8Y8CTKzAivhw8yISyP33/xQoFfrl4IWeR25FiTJA1LuAsfAg3M9k9JDFwXXBnYKMZATyd4XG/
	dTeNCPOXOwCz7kC4YLA/jAcHaDp6GbMivYKe5ezdf6Y202R3CLTK6HVcpqeUflOHNwB3aGNM/
	H5xhtuVBl6p/Dvg9W0pel5xqvoCyQPN7TZp/L3zdPvX0rjWGqOOK+Fvh6IDQJz0EO0fG801+o
	oZzvXCafr5AnQgg07KEQCJxvR5D5UeU5ZpAz5KsXRUX05iBXkNYrwDdlQVGpyaxtO4eQqZ+YX
	YBArC9yEo3p8qKoUfJTOIbAkP8U3HrKCLQxXG2IHp6dX3wtjSoB8Pw/lZN7M7uVx77fRq9AIl
	2UIPXHvDMCZyKihXRhosB3OCyMpNmjG8w/7JtROvzpq6Uz/bX04HRb9Yt//VaFRM1HdQRc+oW
	KNq0JKNxyKY0+R4kmrcl449chjUb60t1TMuWg4/qMKA9klDgShiPYR5TbjdP0aEuZIPHJtigO
	pvl4gbYzZJIG16P5yLCcYHwv+Lg3pZgQE5GsfIKWeAckPK4MWCygOMnSJfDtF2nKvzWuWwLK7
	ALUbUK3YndlLwwUUHXUj/d+PBXPRunVC+n99J2+Bay1f11N78G/8T2gQ4kVaikaDgy7UcM3hD
	hyzGWgCtvGHRPeHKg9mwxhYRNUM9SzTN8o6EcINV/pne64JNIt3aaCVkKgOLagAxgH253npVc
	7qorqgKsa3y6WNfxXVQibEoqpfiAyVCPSmMuhQ==
Sender: linux-samsung-soc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-samsung-soc.vger.kernel.org>
X-Mailing-List: linux-samsung-soc@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

While experimenting with older compiler versions, I ran
into a warning that no longer shows up on gcc-4.8 or newer:

drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format':
drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds

This is an off-by-one bug, leading to an access before the start of the
array, while newer compilers silently assume this undefined behavior
cannot happen and leave the loop at index 0 if no other entry matches.

As Sylvester explains, we actually need to ensure that the
value is within the range, so this reworks the loop to be
easier to parse correctly, and an additional check to fall
back on the first format value for any unexpected input.

I found an existing gcc bug for it and added a reduced version
of the function there.

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3
Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
v2: rework logic rather than removing it.
---
 drivers/media/platform/s3c-camif/camif-capture.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c
index 437395a61065..002609be1400 100644
--- a/drivers/media/platform/s3c-camif/camif-capture.c
+++ b/drivers/media/platform/s3c-camif/camif-capture.c
@@ -1256,15 +1256,18 @@ static void __camif_subdev_try_format(struct camif_dev *camif,
 {
 	const struct s3c_camif_variant *variant = camif->variant;
 	const struct vp_pix_limits *pix_lim;
-	int i = ARRAY_SIZE(camif_mbus_formats);
+	int i;
 
 	/* FIXME: constraints against codec or preview path ? */
 	pix_lim = &variant->vp_pix_limits[VP_CODEC];
 
-	while (i-- >= 0)
+	for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
 		if (camif_mbus_formats[i] == mf->code)
 			break;
 
+	if (i == ARRAY_SIZE(camif_mbus_formats))
+		mf->code = camif_mbus_formats[0];
+
 	mf->code = camif_mbus_formats[i];
 
 	if (pad == CAMIF_SD_PAD_SINK) {