{"id":816125,"url":"http://patchwork.ozlabs.org/api/patches/816125/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170920102707.8266-4-colin.king@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170920102707.8266-4-colin.king@canonical.com>","list_archive_url":null,"date":"2017-09-20T10:27:07","name":"[3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds index io.dev","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"a13f3cbe1dbf6fce4c01b0f7789c337a8bc8c928","submitter":{"id":2900,"url":"http://patchwork.ozlabs.org/api/people/2900/?format=json","name":"Colin Ian King","email":"colin.king@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170920102707.8266-4-colin.king@canonical.com/mbox/","series":[{"id":4075,"url":"http://patchwork.ozlabs.org/api/series/4075/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=4075","date":"2017-09-20T10:27:04","name":"UBUNTU: SAUCE: opennsl: fix static analysis issues","version":1,"mbox":"http://patchwork.ozlabs.org/series/4075/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/816125/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/816125/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xxwsb3Typz9s81;\n\tWed, 20 Sep 2017 20:27:15 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1ducDn-0002KH-OT; Wed, 20 Sep 2017 10:27:11 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1ducDl-0002IR-T7\n\tfor kernel-team@lists.ubuntu.com; Wed, 20 Sep 2017 10:27:09 +0000","from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost)\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from )\n\tid 1ducDl-00080u-AU; Wed, 20 Sep 2017 10:27:09 +0000"],"From":"Colin King ","To":"kernel-team@lists.ubuntu.com","Subject":"[PATCH 3/3] UBUNTU: SAUCE: opennsl: bde: check for out-of-bounds\n\tindex io.dev","Date":"Wed, 20 Sep 2017 11:27:07 +0100","Message-Id":"<20170920102707.8266-4-colin.king@canonical.com>","X-Mailer":"git-send-email 2.14.1","In-Reply-To":"<20170920102707.8266-1-colin.king@canonical.com>","References":"<20170920102707.8266-1-colin.king@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"From: Colin Ian King \n\nBugLink: https://launchpad.net/bugs/1718388\n\nio.dev is used as an index into the _devices array and currently\nthe user may pass any unsigned int value into io.dev which can create\nan out-of-bounds error. Fix this by sanity checking io.dev and\nreturning -EINVAL for out-of-bounds values of io.dev\n\nDetected by CoverityScan CID#1456895 (\"Untrusted array index read\")\n\nSigned-off-by: Colin Ian King \n---\n .../systems/bde/linux/user/kernel/linux-user-bde.c | 42 ++++++++++++++++++++++\n 1 file changed, 42 insertions(+)","diff":"diff --git a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\nindex 2d7a521..44adb45 100644\n--- a/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n+++ b/ubuntu/opennsl/OpenNSL/sdk-6.4.10-gpl-modules/systems/bde/linux/user/kernel/linux-user-bde.c\n@@ -912,6 +912,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n io.d0 = user_bde->num_devices(io.dev);\n break;\n case LUBDE_GET_DEVICE:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n bde_dev = user_bde->get_dev(io.dev);\n if (bde_dev) {\n io.d0 = bde_dev->device;\n@@ -926,13 +928,19 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n break;\n case LUBDE_GET_DEVICE_TYPE:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n io.d0 = _devices[io.dev].dev_type;\n break;\n case LUBDE_GET_BUS_FEATURES:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n user_bde->pci_bus_features(io.dev, (int *) &io.d0, (int *) &io.d1,\n (int *) &io.d2);\n break;\n case LUBDE_PCI_CONFIG_PUT32:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n user_bde->pci_conf_write(io.dev, io.d0, io.d1);\n } else {\n@@ -940,6 +948,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n break;\n case LUBDE_PCI_CONFIG_GET32:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (_devices[io.dev].dev_type & BDE_PCI_DEV_TYPE) {\n io.d0 = user_bde->pci_conf_read(io.dev, io.d0);\n } else {\n@@ -947,6 +957,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n break;\n case LUBDE_GET_DMA_INFO:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n inst_id = io.dev;\n if (_bde_multi_inst){\n _dma_resource_get(inst_id, &pbase, &size);\n@@ -959,6 +971,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n io.d2 = USE_LINUX_BDE_MMAP;\n break;\n case LUBDE_ENABLE_INTERRUPTS:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n if (_devices[io.dev].isr && !_devices[io.dev].enabled) {\n user_bde->interrupt_connect(io.dev,\n@@ -978,12 +992,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n break;\n case LUBDE_DISABLE_INTERRUPTS:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (_devices[io.dev].enabled) {\n user_bde->interrupt_disconnect(io.dev);\n _devices[io.dev].enabled = 0;\n }\n break;\n case LUBDE_WAIT_FOR_INTERRUPT:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (_devices[io.dev].dev_type & BDE_SWITCH_DEV_TYPE) {\n res = &_bde_inst_resource[_devices[io.dev].inst];\n #ifdef BDE_LINUX_NON_INTERRUPTIBLE\n@@ -1040,27 +1058,39 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n break;\n case LUBDE_WRITE_IRQ_MASK:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n io.rc = lkbde_irq_mask_set(io.dev, io.d0, io.d1, 0);\n break;\n case LUBDE_SPI_READ_REG:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (user_bde->spi_read(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n io.rc = LUBDE_FAIL;\n } \n break;\n case LUBDE_SPI_WRITE_REG:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (user_bde->spi_write(io.dev, io.d0, io.dx.buf, io.d1) == -1) {\n io.rc = LUBDE_FAIL;\n }\n break;\n case LUBDE_READ_REG_16BIT_BUS:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n io.d1 = user_bde->read(io.dev, io.d0);\n break;\n case LUBDE_WRITE_REG_16BIT_BUS:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n io.rc = user_bde->write(io.dev, io.d0, io.d1);\n break;\n #if (defined(BCM_PETRA_SUPPORT) || defined(BCM_DFE_SUPPORT))\n case LUBDE_CPU_WRITE_REG:\n {\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (lkbde_cpu_write(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n io.rc = LUBDE_FAIL;\n }\n@@ -1068,6 +1098,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n case LUBDE_CPU_READ_REG:\n {\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (lkbde_cpu_read(io.dev, io.d0, (uint32*)io.dx.buf) == -1) {\n io.rc = LUBDE_FAIL;\n }\n@@ -1075,6 +1107,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n case LUBDE_CPU_PCI_REGISTER:\n {\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (lkbde_cpu_pci_register(io.dev) == -1) {\n io.rc = LUBDE_FAIL;\n }\n@@ -1082,6 +1116,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n #endif\n case LUBDE_DEV_RESOURCE:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n bde_dev = user_bde->get_dev(io.dev);\n if (bde_dev) {\n if (BDE_DEV_MEM_MAPPED(_devices[io.dev].dev_type)) {\n@@ -1094,12 +1130,16 @@ _ioctl(unsigned int cmd, unsigned long arg)\n }\n break;\n case LUBDE_IPROC_READ_REG:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n io.d1 = user_bde->iproc_read(io.dev, io.d0);\n if (io.d1 == -1) {\n io.rc = LUBDE_FAIL;\n }\n break;\n case LUBDE_IPROC_WRITE_REG:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n if (user_bde->iproc_write(io.dev, io.d0, io.d1) == -1) {\n io.rc = LUBDE_FAIL;\n }\n@@ -1108,6 +1148,8 @@ _ioctl(unsigned int cmd, unsigned long arg)\n io.rc = _instance_attach(io.d0, io.d1);\n break;\n case LUBDE_GET_DEVICE_STATE:\n+ if (io.dev >= LINUX_BDE_MAX_DEVICES)\n+\t\treturn -EINVAL;\n io.rc = lkbde_dev_state_get(io.dev, &io.d0);\n break;\n default:\n","prefixes":["3/3"]}