From patchwork Wed Feb 13 08:23:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 1041034
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=oracle.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=oracle.com header.i=@oracle.com
	header.b="osv5ALE4"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 43zswz4CqMz9s7h
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed, 13 Feb 2019 19:23:31 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2390615AbfBMIX3 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 13 Feb 2019 03:23:29 -0500
Received: from userp2130.oracle.com ([156.151.31.86]:35460 "EHLO
	userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2387986AbfBMIX3 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 13 Feb 2019 03:23:29 -0500
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1])
	by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id
	x1D8Ijah077897; Wed, 13 Feb 2019 08:23:20 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
	h=date : from : to : cc
	: subject : message-id : mime-version : content-type;
	s=corp-2018-07-02;
	bh=3gA8jJH7QkPKgNdac8a2zH9t0hbVyCi4O6PubvJC+Os=;
	b=osv5ALE4DQ0t/R0K11HkDoXefRx6vWY7Vi+P6h1zuilRa01obDXAkHRlpfaghNXmWLVe
	j/2qGKtdU9M9ufDuPXaOJ2hFE6e2b2sFTvRENfd+9NjKFT99i1GyBCxOu9b8h1Msc1m0
	WCM6Bi1dO2zcuJW6rAAeg2Y/cx9IfbZGPj8+7PHTejzQTkr2vzezYvkoZQa8DwYfByX6
	tFhqOYCb1h2OlwUj2g9ESngOG4FsIGUj0c5vbHpzcAXgkliI8FF32TuKk6bMbDc6RqeM
	FbnhaV8HlAsbEYZSxwYr7vMlQO/Y/vJaToaLEuxrekraUmQt/47RwvP2eoFPsopi/SFL
	MQ==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
	by userp2130.oracle.com with ESMTP id 2qhrekggg6-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Wed, 13 Feb 2019 08:23:20 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
	by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x1D8NI8k013684
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Wed, 13 Feb 2019 08:23:18 GMT
Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26])
	by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id
	x1D8ND2r022304; Wed, 13 Feb 2019 08:23:13 GMT
Received: from kadam (/41.202.241.15)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Wed, 13 Feb 2019 08:23:12 +0000
Date: Wed, 13 Feb 2019 11:23:04 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Andrew Lunn <andrew@lunn.ch>, Florian Fainelli <f.fainelli@gmail.com>
Cc: Vivien Didelot <vivien.didelot@gmail.com>,
	"David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH net] net: dsa: bcm_sf2: potential array overflow in
	bcm_sf2_sw_suspend()
Message-ID: <20190213082304.GA14113@kadam>
MIME-Version: 1.0
Content-Disposition: inline
X-Mailer: git-send-email haha only kidding
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9165
	signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	priorityscore=1501 malwarescore=0
	suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015
	lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999
	adultscore=0
	classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1810050000
	definitions=main-1902130062
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
array is allocated in dsa_switch_alloc() and it has ds->num_ports
elements so this leads to a static checker warning about a potential out
of bounds read.

Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
---
 drivers/net/dsa/bcm_sf2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index 5193da67dcdc..98696a88fa1c 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -690,7 +690,7 @@ static int bcm_sf2_sw_suspend(struct dsa_switch *ds)
 	 * port, the other ones have already been disabled during
 	 * bcm_sf2_sw_setup
 	 */
-	for (port = 0; port < DSA_MAX_PORTS; port++) {
+	for (port = 0; port < ds->num_ports; port++) {
 		if (dsa_is_user_port(ds, port) || dsa_is_cpu_port(ds, port))
 			bcm_sf2_port_disable(ds, port, NULL);
 	}