[{"id":1772435,"web_url":"http://patchwork.ozlabs.org/comment/1772435/","msgid":"<14e56e38-99f2-d10b-365c-d289840e1606@canonical.com>","list_archive_url":null,"date":"2017-09-21T06:15:36","subject":"ACK [PATCH 3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds\n\tindex io.dev","submitter":{"id":71819,"url":"http://patchwork.ozlabs.org/api/people/71819/","name":"Juerg Haefliger","email":"juerg.haefliger@canonical.com"},"content":"On 09/20/2017 12:27 PM, Colin King wrote:\n> From: Colin Ian King <colin.king@canonical.com>\n> \n> BugLink: https://launchpad.net/bugs/1718388\n> \n> io.dev is used as an index into the _devices array and currently\n> the user may pass any unsigned int value into io.dev which can create\n> an out-of-bounds error.  Fix this by sanity checking io.dev and\n> returning -EINVAL for out-of-bounds values of io.dev\n> \n> Detected by CoverityScan CID#1456895 (\"Untrusted array index read\")\n> \n> Signed-off-by: Colin Ian King <colin.king@canonical.com>\n> ---\n>  .../systems/bde/linux/user/kernel/linux-user-bde.c | 42 ++++++++++++++++++++++\n>  1 file changed, 42 insertions(+)\n> \n> diff --git a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n> index 2d7a521..44adb45 100644\n> --- a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n> +++ b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n> @@ -912,6 +912,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          io.d0 = user_bde->num_devices(io.dev);\n>          break;\n>      case LUBDE_GET_DEVICE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          bde_dev = user_bde->get_dev(io.dev);\n>          if (bde_dev) {\n>              io.d0 = bde_dev->device;\n> @@ -926,13 +928,19 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_GET_DEVICE_TYPE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.d0 = _devices[io.dev].dev_type;\n>          break;\n>      case LUBDE_GET_BUS_FEATURES:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          user_bde->pci_bus_features(io.dev, (int *) &io.d0, (int *) &io.d1,\n>                                     (int *) &io.d2);\n>          break;\n>      case LUBDE_PCI_CONFIG_PUT32:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n>              user_bde->pci_conf_write(io.dev, io.d0, io.d1);\n>          } else {\n> @@ -940,6 +948,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_PCI_CONFIG_GET32:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n>              io.d0 = user_bde->pci_conf_read(io.dev, io.d0);\n>          } else {\n> @@ -947,6 +957,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_GET_DMA_INFO:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          inst_id = io.dev;\n>          if (_bde_multi_inst){\n>              _dma_resource_get(inst_id, &pbase, &size);\n> @@ -959,6 +971,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          io.d2 = USE_LINUX_BDE_MMAP;\n>          break;\n>      case LUBDE_ENABLE_INTERRUPTS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n>              if (_devices[io.dev].isr && !_devices[io.dev].enabled) {\n>                  user_bde->interrupt_connect(io.dev,\n> @@ -978,12 +992,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_DISABLE_INTERRUPTS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].enabled) {\n>              user_bde->interrupt_disconnect(io.dev);\n>              _devices[io.dev].enabled = 0;\n>          }\n>          break;\n>      case LUBDE_WAIT_FOR_INTERRUPT:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n>              res = &_bde_inst_resource[_devices[io.dev].inst];\n>  #ifdef BDE_LINUX_NON_INTERRUPTIBLE\n> @@ -1040,27 +1058,39 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_WRITE_IRQ_MASK:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.rc = lkbde_irq_mask_set(io.dev, io.d0, io.d1, 0);\n>          break;\n>      case LUBDE_SPI_READ_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (user_bde->spi_read(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          } \n>          break;\n>      case LUBDE_SPI_WRITE_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (user_bde->spi_write(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n>          break;\n>      case LUBDE_READ_REG_16BIT_BUS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.d1 = user_bde->read(io.dev, io.d0);\n>          break;\n>      case LUBDE_WRITE_REG_16BIT_BUS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.rc = user_bde->write(io.dev, io.d0, io.d1);\n>          break;\n>  #if (defined(BCM_PETRA_SUPPORT) || defined(BCM_DFE_SUPPORT))\n>      case LUBDE_CPU_WRITE_REG:\n>      {\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (lkbde_cpu_write(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1068,6 +1098,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>      }\n>      case LUBDE_CPU_READ_REG:\n>      {\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (lkbde_cpu_read(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1075,6 +1107,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>      }\n>      case LUBDE_CPU_PCI_REGISTER:\n>      {\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (lkbde_cpu_pci_register(io.dev) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1082,6 +1116,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>      }\n>  #endif\n>      case LUBDE_DEV_RESOURCE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          bde_dev = user_bde->get_dev(io.dev);\n>          if (bde_dev) {\n>              if (BDE_DEV_MEM_MAPPED(_devices[io.dev].dev_type)) {\n> @@ -1094,12 +1130,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_IPROC_READ_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.d1 = user_bde->iproc_read(io.dev, io.d0);\n>          if (io.d1 == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n>          break;\n>      case LUBDE_IPROC_WRITE_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (user_bde->iproc_write(io.dev, io.d0, io.d1) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1108,6 +1148,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          io.rc = _instance_attach(io.d0, io.d1);\n>          break;\n>      case LUBDE_GET_DEVICE_STATE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.rc = lkbde_dev_state_get(io.dev, &io.d0);\n>          break;\n>      default:\n> \nAcked-by: Juerg Haefliger <juerg.haefliger@canonical.com>","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xyRGb52lsz9t3F;\n\tThu, 21 Sep 2017 16:17:11 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1duunI-0007kI-Iw; Thu, 21 Sep 2017 06:17:04 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <juerg.haefliger@canonical.com>)\n\tid 1duunG-0007hM-QR\n\tfor kernel-team@lists.ubuntu.com; Thu, 21 Sep 2017 06:17:02 +0000","from mail-wr0-f198.google.com ([209.85.128.198])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <juerg.haefliger@canonical.com>)\n\tid 1duulu-00024g-9d\n\tfor kernel-team@lists.ubuntu.com; Thu, 21 Sep 2017 06:15:38 +0000","by mail-wr0-f198.google.com with SMTP id g50so5277670wra.4\n\tfor <kernel-team@lists.ubuntu.com>;\n\tWed, 20 Sep 2017 23:15:38 -0700 (PDT)","from [192.168.1.99] (adsl-84-227-115-101.adslplus.ch.\n\t[84.227.115.101]) by smtp.gmail.com with ESMTPSA id\n\ti6sm473817edl.61.2017.09.20.23.15.36\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tWed, 20 Sep 2017 23:15:36 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:to:references:from:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-transfer-encoding;\n\tbh=Ml9GZatrVvVdeEzG+3/bv2tJdpGmWe8rN7yDzjVzlik=;\n\tb=I9/YGtEjrSJKanzokpC0bWRvPjDdIWFGsoEjuoqSbAoEGMxfuJw6cvZ5UxlrtGzLPs\n\tsn0/hE8+kEVNylCn83zxs+hdgUxzOnRYwhLOb7/RH4yDp7c2f+sSa8lEqBtuuc55KRVe\n\tJQ4JC7edalfc6Prgj1RGgkqZRNFkGMnEMgRE+zU1ogHo28tbgy1nkn63H1Kwimur8g49\n\tJbp8zW/z4aErHTF8LJgBF5UJjFzGizBxdNX1uc7CJVIo2uAABWCXVmlmAHU816Lzw/2T\n\tS1R+V6u9uUxyJFgP/yGhCZAh5wcSLehY4V1SEN/mbAYAfJ0kIAXq9jIKrLG/+QP+o5th\n\tXpMg==","X-Gm-Message-State":"AHPjjUgPejtaEfX5FQHT/ilbGBXhvumjWkRXXe60jJOsBfhUwoOtfZ56\n\tHpJAsO8gqCDgAGWSG2RLpgJ5Yguhyw5hPSOKCvfT0bk7ZGWtNR41c8sYqsLjQngleGX6Ut54TIR\n\tjbTNBhz0kwwZe0aPYqya+8bVdHs+ReYkQiNgsfFfHPg==","X-Received":["by 10.80.179.246 with SMTP id t51mr1255775edd.176.1505974537724; \n\tWed, 20 Sep 2017 23:15:37 -0700 (PDT)","by 10.80.179.246 with SMTP id t51mr1255758edd.176.1505974537466; \n\tWed, 20 Sep 2017 23:15:37 -0700 (PDT)"],"X-Google-Smtp-Source":"AOwi7QCuLHIXJ3CXgS0OE7HDQOW49B/WjOYdWqH+m32sX239o9quUT35raJHSmvxQS6rr3QYE5vdlQ==","Subject":"ACK [PATCH 3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds\n\tindex io.dev","To":"Colin King <colin.king@canonical.com>, kernel-team@lists.ubuntu.com","References":"<20170920102707.8266-1-colin.king@canonical.com>\n\t<20170920102707.8266-4-colin.king@canonical.com>","From":"Juerg Haefliger <juerg.haefliger@canonical.com>","Message-ID":"<14e56e38-99f2-d10b-365c-d289840e1606@canonical.com>","Date":"Thu, 21 Sep 2017 08:15:36 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\n\tThunderbird/45.8.0","MIME-Version":"1.0","In-Reply-To":"<20170920102707.8266-4-colin.king@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}},{"id":1796062,"web_url":"http://patchwork.ozlabs.org/comment/1796062/","msgid":"<fb35e0b0-4687-0bd0-5f86-4906c355ae06@canonical.com>","list_archive_url":null,"date":"2017-10-30T16:04:52","subject":"Re: [PATCH 3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds\n\tindex io.dev","submitter":{"id":71419,"url":"http://patchwork.ozlabs.org/api/people/71419/","name":"Kleber Sacilotto de Souza","email":"kleber.souza@canonical.com"},"content":"On 09/20/17 12:27, Colin King wrote:\n> From: Colin Ian King <colin.king@canonical.com>\n> \n> BugLink: https://launchpad.net/bugs/1718388\n> \n> io.dev is used as an index into the _devices array and currently\n> the user may pass any unsigned int value into io.dev which can create\n> an out-of-bounds error.  Fix this by sanity checking io.dev and\n> returning -EINVAL for out-of-bounds values of io.dev\n> \n> Detected by CoverityScan CID#1456895 (\"Untrusted array index read\")\n> \n> Signed-off-by: Colin Ian King <colin.king@canonical.com>\n> ---\n>  .../systems/bde/linux/user/kernel/linux-user-bde.c | 42 ++++++++++++++++++++++\n>  1 file changed, 42 insertions(+)\n> \n> diff --git a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n> index 2d7a521..44adb45 100644\n> --- a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n> +++ b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n> @@ -912,6 +912,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          io.d0 = user_bde->num_devices(io.dev);\n\nColin,\n\nWas the check under LUBDE_GET_NUM_DEVICES deliberately left out?\n\n>          break;\n>      case LUBDE_GET_DEVICE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          bde_dev = user_bde->get_dev(io.dev);\n>          if (bde_dev) {\n>              io.d0 = bde_dev->device;\n> @@ -926,13 +928,19 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_GET_DEVICE_TYPE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.d0 = _devices[io.dev].dev_type;\n>          break;\n>      case LUBDE_GET_BUS_FEATURES:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          user_bde->pci_bus_features(io.dev, (int *) &io.d0, (int *) &io.d1,\n>                                     (int *) &io.d2);\n>          break;\n>      case LUBDE_PCI_CONFIG_PUT32:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n>              user_bde->pci_conf_write(io.dev, io.d0, io.d1);\n>          } else {\n> @@ -940,6 +948,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_PCI_CONFIG_GET32:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n>              io.d0 = user_bde->pci_conf_read(io.dev, io.d0);\n>          } else {\n> @@ -947,6 +957,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_GET_DMA_INFO:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          inst_id = io.dev;\n>          if (_bde_multi_inst){\n>              _dma_resource_get(inst_id, &pbase, &size);\n> @@ -959,6 +971,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          io.d2 = USE_LINUX_BDE_MMAP;\n>          break;\n>      case LUBDE_ENABLE_INTERRUPTS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n>              if (_devices[io.dev].isr && !_devices[io.dev].enabled) {\n>                  user_bde->interrupt_connect(io.dev,\n> @@ -978,12 +992,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_DISABLE_INTERRUPTS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].enabled) {\n>              user_bde->interrupt_disconnect(io.dev);\n>              _devices[io.dev].enabled = 0;\n>          }\n>          break;\n>      case LUBDE_WAIT_FOR_INTERRUPT:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n>              res = &_bde_inst_resource[_devices[io.dev].inst];\n>  #ifdef BDE_LINUX_NON_INTERRUPTIBLE\n> @@ -1040,27 +1058,39 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_WRITE_IRQ_MASK:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.rc = lkbde_irq_mask_set(io.dev, io.d0, io.d1, 0);\n>          break;\n>      case LUBDE_SPI_READ_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (user_bde->spi_read(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          } \n>          break;\n>      case LUBDE_SPI_WRITE_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (user_bde->spi_write(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n>          break;\n>      case LUBDE_READ_REG_16BIT_BUS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.d1 = user_bde->read(io.dev, io.d0);\n>          break;\n>      case LUBDE_WRITE_REG_16BIT_BUS:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.rc = user_bde->write(io.dev, io.d0, io.d1);\n>          break;\n>  #if (defined(BCM_PETRA_SUPPORT) || defined(BCM_DFE_SUPPORT))\n>      case LUBDE_CPU_WRITE_REG:\n>      {\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (lkbde_cpu_write(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1068,6 +1098,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>      }\n>      case LUBDE_CPU_READ_REG:\n>      {\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (lkbde_cpu_read(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1075,6 +1107,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>      }\n>      case LUBDE_CPU_PCI_REGISTER:\n>      {\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (lkbde_cpu_pci_register(io.dev) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1082,6 +1116,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>      }\n>  #endif\n>      case LUBDE_DEV_RESOURCE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          bde_dev = user_bde->get_dev(io.dev);\n>          if (bde_dev) {\n>              if (BDE_DEV_MEM_MAPPED(_devices[io.dev].dev_type)) {\n> @@ -1094,12 +1130,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          }\n>          break;\n>      case LUBDE_IPROC_READ_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.d1 = user_bde->iproc_read(io.dev, io.d0);\n>          if (io.d1 == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n>          break;\n>      case LUBDE_IPROC_WRITE_REG:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          if (user_bde->iproc_write(io.dev, io.d0, io.d1) == -1) {\n>              io.rc = LUBDE_FAIL;\n>          }\n> @@ -1108,6 +1148,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n>          io.rc = _instance_attach(io.d0, io.d1);\n>          break;\n>      case LUBDE_GET_DEVICE_STATE:\n> +        if (io.dev >= LINUX_BDE_MAX_DEVICES)\n> +\t\treturn -EINVAL;\n>          io.rc = lkbde_dev_state_get(io.dev, &io.d0);\n>          break;\n>      default:\n>","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3yQfSy31fyz9sRg;\n\tTue, 31 Oct 2017 03:05:06 +1100 (AEDT)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1e9CYb-0006S8-KX; Mon, 30 Oct 2017 16:04:57 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)\n\tid 1e9CYa-0006Rh-6z\n\tfor kernel-team@lists.ubuntu.com; Mon, 30 Oct 2017 16:04:56 +0000","from mail-wr0-f198.google.com ([209.85.128.198])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)\n\tid 1e9CYZ-0002FG-Vt\n\tfor kernel-team@lists.ubuntu.com; Mon, 30 Oct 2017 16:04:56 +0000","by mail-wr0-f198.google.com with SMTP id z96so8273277wrb.21\n\tfor <kernel-team@lists.ubuntu.com>;\n\tMon, 30 Oct 2017 09:04:55 -0700 (PDT)","from ?IPv6:2a02:8109:a540:7e8:8926:2094:ede9:dddc?\n\t([2a02:8109:a540:7e8:8926:2094:ede9:dddc])\n\tby smtp.gmail.com with ESMTPSA id\n\tv17sm10486687eda.70.2017.10.30.09.04.53\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 30 Oct 2017 09:04:53 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:to:references:from:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=ddmWk5iBQCdsDJ6OMdmQcYzGLqs7qyauaBky1IjasOE=;\n\tb=RJQn0lOYwkjGnOMhTWiroBG1D98fTNidOfAw55+23GmnM7TiCtkEjDD1EPr54ZtenO\n\tFixMaVCA3NVUhIj3YVKvKDCzJmpF/AlQKOshy2u6M8fecPL70H6xqJEzIaNmA9KK2OtS\n\tvKPeYyR3/T0lTvKQF3gfsmqQCCAkhs5itKQtHrAI858twuL9MiB/NpT+DlPTaqGFs/QJ\n\tyy+fMdabFPdRY+nXFJ9UtfqmPzNr6XAbwEK1HRfC9xG+OvOkv7nwxWU7eCoFMevHD6QI\n\t5izVMjzcm9Nz9iq//3zBeLWUm/6XV6R8eDJMAT37Q/I66ATONjt/Wl0czV0tN7mve38+\n\tc+aQ==","X-Gm-Message-State":"AMCzsaW7yBEY2h30ne9sr3BbiI86Nj1Ps4J28rB55HeqUEuEA1xLY2w1\n\tbYAU+3Gwyos9IxuqSSSu6b/etTCmO6OVlxNqHz7mA/knR3EkyGVy6jVTO8+VDrIuERSuSWv3VgZ\n\ttsNAZBjrPy7qBEvLWQYj0klCQ2l+F40BTnx1bg0FauA==","X-Received":["by 10.80.164.72 with SMTP id v8mr12083214edb.99.1509379495188;\n\tMon, 30 Oct 2017 09:04:55 -0700 (PDT)","by 10.80.164.72 with SMTP id v8mr12083179edb.99.1509379494696;\n\tMon, 30 Oct 2017 09:04:54 -0700 (PDT)"],"X-Google-Smtp-Source":"ABhQp+QzsHUkCMz0t9bamm51zy0ohip75ucet0V7tOeAlapx9a+lXbKsW+j0VTH1XIjvLJ7jQ0orDw==","Subject":"Re: [PATCH 3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds\n\tindex io.dev","To":"Colin King <colin.king@canonical.com>, kernel-team@lists.ubuntu.com","References":"<20170920102707.8266-1-colin.king@canonical.com>\n\t<20170920102707.8266-4-colin.king@canonical.com>","From":"Kleber Souza <kleber.souza@canonical.com>","Message-ID":"<fb35e0b0-4687-0bd0-5f86-4906c355ae06@canonical.com>","Date":"Mon, 30 Oct 2017 17:04:52 +0100","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.4.0","MIME-Version":"1.0","In-Reply-To":"<20170920102707.8266-4-colin.king@canonical.com>","Content-Language":"en-US","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}}]