[net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
diff mbox series

Message ID 20190213082304.GA14113@kadam
State Accepted
Delegated to: David Miller
Headers show
Series
  • [net] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
Related show

Commit Message

Dan Carpenter Feb. 13, 2019, 8:23 a.m. UTC
The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
array is allocated in dsa_switch_alloc() and it has ds->num_ports
elements so this leads to a static checker warning about a potential out
of bounds read.

Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/dsa/bcm_sf2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Vivien Didelot Feb. 13, 2019, 1:13 p.m. UTC | #1
On Wed, 13 Feb 2019 11:23:04 +0300, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
> than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
> the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
> array is allocated in dsa_switch_alloc() and it has ds->num_ports
> elements so this leads to a static checker warning about a potential out
> of bounds read.
> 
> Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
David Miller Feb. 14, 2019, 6:13 a.m. UTC | #2
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 13 Feb 2019 11:23:04 +0300

> The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
> than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
> the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
> array is allocated in dsa_switch_alloc() and it has ds->num_ports
> elements so this leads to a static checker warning about a potential out
> of bounds read.
> 
> Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied.
Florian Fainelli Feb. 15, 2019, 12:31 a.m. UTC | #3
On 2/13/19 10:13 PM, David Miller wrote:
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Date: Wed, 13 Feb 2019 11:23:04 +0300
> 
>> The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
>> than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
>> the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
>> array is allocated in dsa_switch_alloc() and it has ds->num_ports
>> elements so this leads to a static checker warning about a potential out
>> of bounds read.

This would not happen here because bcm_sf2 calls b53_switch_alloc()
which does allocate the full port range (not for a good reason), but
it's good to fix that anyways.

>>
>> Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Applied.
>

Patch
diff mbox series

diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index 5193da67dcdc..98696a88fa1c 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -690,7 +690,7 @@  static int bcm_sf2_sw_suspend(struct dsa_switch *ds)
 	 * port, the other ones have already been disabled during
 	 * bcm_sf2_sw_setup
 	 */
-	for (port = 0; port < DSA_MAX_PORTS; port++) {
+	for (port = 0; port < ds->num_ports; port++) {
 		if (dsa_is_user_port(ds, port) || dsa_is_cpu_port(ds, port))
 			bcm_sf2_port_disable(ds, port, NULL);
 	}