Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 816125,
    "url": "http://patchwork.ozlabs.org/api/patches/816125/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170920102707.8266-4-colin.king@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20170920102707.8266-4-colin.king@canonical.com>",
    "list_archive_url": null,
    "date": "2017-09-20T10:27:07",
    "name": "[3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds index io.dev",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "a13f3cbe1dbf6fce4c01b0f7789c337a8bc8c928",
    "submitter": {
        "id": 2900,
        "url": "http://patchwork.ozlabs.org/api/people/2900/?format=api",
        "name": "Colin Ian King",
        "email": "colin.king@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170920102707.8266-4-colin.king@canonical.com/mbox/",
    "series": [
        {
            "id": 4075,
            "url": "http://patchwork.ozlabs.org/api/series/4075/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=4075",
            "date": "2017-09-20T10:27:04",
            "name": "UBUNTU: SAUCE: opennsl: fix static analysis issues",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/4075/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/816125/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/816125/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org",
        "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)",
        "Received": [
            "from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xxwsb3Typz9s81;\n\tWed, 20 Sep 2017 20:27:15 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1ducDn-0002KH-OT; Wed, 20 Sep 2017 10:27:11 +0000",
            "from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <colin.king@canonical.com>)\n\tid 1ducDl-0002IR-T7\n\tfor kernel-team@lists.ubuntu.com; Wed, 20 Sep 2017 10:27:09 +0000",
            "from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost)\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from <colin.king@canonical.com>)\n\tid 1ducDl-00080u-AU; Wed, 20 Sep 2017 10:27:09 +0000"
        ],
        "From": "Colin King <colin.king@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[PATCH 3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds\n\tindex io.dev",
        "Date": "Wed, 20 Sep 2017 11:27:07 +0100",
        "Message-Id": "<20170920102707.8266-4-colin.king@canonical.com>",
        "X-Mailer": "git-send-email 2.14.1",
        "In-Reply-To": "<20170920102707.8266-1-colin.king@canonical.com>",
        "References": "<20170920102707.8266-1-colin.king@canonical.com>",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: Colin Ian King <colin.king@canonical.com>\n\nBugLink: https://launchpad.net/bugs/1718388\n\nio.dev is used as an index into the _devices array and currently\nthe user may pass any unsigned int value into io.dev which can create\nan out-of-bounds error.  Fix this by sanity checking io.dev and\nreturning -EINVAL for out-of-bounds values of io.dev\n\nDetected by CoverityScan CID#1456895 (\"Untrusted array index read\")\n\nSigned-off-by: Colin Ian King <colin.king@canonical.com>\n---\n .../systems/bde/linux/user/kernel/linux-user-bde.c | 42 ++++++++++++++++++++++\n 1 file changed, 42 insertions(+)",
    "diff": "diff --git a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\nindex 2d7a521..44adb45 100644\n--- a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n+++ b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n@@ -912,6 +912,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         io.d0 = user_bde->num_devices(io.dev);\n         break;\n     case LUBDE_GET_DEVICE:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         bde_dev = user_bde->get_dev(io.dev);\n         if (bde_dev) {\n             io.d0 = bde_dev->device;\n@@ -926,13 +928,19 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         }\n         break;\n     case LUBDE_GET_DEVICE_TYPE:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         io.d0 = _devices[io.dev].dev_type;\n         break;\n     case LUBDE_GET_BUS_FEATURES:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         user_bde->pci_bus_features(io.dev, (int *) &io.d0, (int *) &io.d1,\n                                    (int *) &io.d2);\n         break;\n     case LUBDE_PCI_CONFIG_PUT32:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n             user_bde->pci_conf_write(io.dev, io.d0, io.d1);\n         } else {\n@@ -940,6 +948,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         }\n         break;\n     case LUBDE_PCI_CONFIG_GET32:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n             io.d0 = user_bde->pci_conf_read(io.dev, io.d0);\n         } else {\n@@ -947,6 +957,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         }\n         break;\n     case LUBDE_GET_DMA_INFO:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         inst_id = io.dev;\n         if (_bde_multi_inst){\n             _dma_resource_get(inst_id, &pbase, &size);\n@@ -959,6 +971,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         io.d2 = USE_LINUX_BDE_MMAP;\n         break;\n     case LUBDE_ENABLE_INTERRUPTS:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n             if (_devices[io.dev].isr && !_devices[io.dev].enabled) {\n                 user_bde->interrupt_connect(io.dev,\n@@ -978,12 +992,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         }\n         break;\n     case LUBDE_DISABLE_INTERRUPTS:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (_devices[io.dev].enabled) {\n             user_bde->interrupt_disconnect(io.dev);\n             _devices[io.dev].enabled = 0;\n         }\n         break;\n     case LUBDE_WAIT_FOR_INTERRUPT:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n             res = &_bde_inst_resource[_devices[io.dev].inst];\n #ifdef BDE_LINUX_NON_INTERRUPTIBLE\n@@ -1040,27 +1058,39 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         }\n         break;\n     case LUBDE_WRITE_IRQ_MASK:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         io.rc = lkbde_irq_mask_set(io.dev, io.d0, io.d1, 0);\n         break;\n     case LUBDE_SPI_READ_REG:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (user_bde->spi_read(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n             io.rc = LUBDE_FAIL;\n         } \n         break;\n     case LUBDE_SPI_WRITE_REG:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (user_bde->spi_write(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n             io.rc = LUBDE_FAIL;\n         }\n         break;\n     case LUBDE_READ_REG_16BIT_BUS:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         io.d1 = user_bde->read(io.dev, io.d0);\n         break;\n     case LUBDE_WRITE_REG_16BIT_BUS:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         io.rc = user_bde->write(io.dev, io.d0, io.d1);\n         break;\n #if (defined(BCM_PETRA_SUPPORT) || defined(BCM_DFE_SUPPORT))\n     case LUBDE_CPU_WRITE_REG:\n     {\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (lkbde_cpu_write(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n             io.rc = LUBDE_FAIL;\n         }\n@@ -1068,6 +1098,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n     }\n     case LUBDE_CPU_READ_REG:\n     {\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (lkbde_cpu_read(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n             io.rc = LUBDE_FAIL;\n         }\n@@ -1075,6 +1107,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n     }\n     case LUBDE_CPU_PCI_REGISTER:\n     {\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (lkbde_cpu_pci_register(io.dev) == -1) {\n             io.rc = LUBDE_FAIL;\n         }\n@@ -1082,6 +1116,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n     }\n #endif\n     case LUBDE_DEV_RESOURCE:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         bde_dev = user_bde->get_dev(io.dev);\n         if (bde_dev) {\n             if (BDE_DEV_MEM_MAPPED(_devices[io.dev].dev_type)) {\n@@ -1094,12 +1130,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         }\n         break;\n     case LUBDE_IPROC_READ_REG:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         io.d1 = user_bde->iproc_read(io.dev, io.d0);\n         if (io.d1 == -1) {\n             io.rc = LUBDE_FAIL;\n         }\n         break;\n     case LUBDE_IPROC_WRITE_REG:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         if (user_bde->iproc_write(io.dev, io.d0, io.d1) == -1) {\n             io.rc = LUBDE_FAIL;\n         }\n@@ -1108,6 +1148,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n         io.rc = _instance_attach(io.d0, io.d1);\n         break;\n     case LUBDE_GET_DEVICE_STATE:\n+        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n         io.rc = lkbde_dev_state_get(io.dev, &io.d0);\n         break;\n     default:\n",
    "prefixes": [
        "3/3"
    ]
}