LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* drivers/video/aty/atyfb_base.c: array overruns
@ 2007-03-19  9:22 Adrian Bunk
  2007-03-31  1:23 ` Antonino A. Daplas
  0 siblings, 1 reply; 3+ messages in thread
From: Adrian Bunk @ 2007-03-19  9:22 UTC (permalink / raw)
  To: Antonino Daplas, Richard Purdie; +Cc: linux-kernel

The Coverity checker spotted the following two array overruns in 
drivers/video/aty/atyfb_base.c:

<--  snip  -->

...
static const u32 lt_lcd_regs[] = {
        CONFIG_PANEL_LG,
        LCD_GEN_CNTL_LG,
        DSTN_CONTROL_LG,
        HFB_PITCH_ADDR_LG,
        HORZ_STRETCHING_LG,
        VERT_STRETCHING_LG,
        0, /* EXT_VERT_STRETCH */
        LT_GIO_LG,
        POWER_MANAGEMENT_LG
};

void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
{
        if (M64_HAS(LT_LCD_REGS)) {
                aty_st_le32(lt_lcd_regs[index], val, par);
...
}
...
u32 aty_ld_lcd(int index, const struct atyfb_par *par)
{
        if (M64_HAS(LT_LCD_REGS)) {
                return aty_ld_le32(lt_lcd_regs[index], par);
...
}
...
static int aty_bl_update_status(struct backlight_device *bd)
{
        struct atyfb_par *par = class_get_devdata(&bd->class_dev);
        unsigned int reg = aty_ld_lcd(LCD_MISC_CNTL, par);
...
        aty_st_lcd(LCD_MISC_CNTL, reg, par);

        return 0;
}
...

<--  snip  -->

LCD_MISC_CNTL = 0x14 = 20 > 8

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: drivers/video/aty/atyfb_base.c: array overruns
  2007-03-19  9:22 drivers/video/aty/atyfb_base.c: array overruns Adrian Bunk
@ 2007-03-31  1:23 ` Antonino A. Daplas
  2007-03-31 14:25   ` syrjala
  0 siblings, 1 reply; 3+ messages in thread
From: Antonino A. Daplas @ 2007-03-31  1:23 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: Richard Purdie, linux-kernel, Ville Syrjälä

On Mon, 2007-03-19 at 10:22 +0100, Adrian Bunk wrote:
> The Coverity checker spotted the following two array overruns in 
> drivers/video/aty/atyfb_base.c:
> 
> <--  snip  -->
> 
> ...
> static const u32 lt_lcd_regs[] = {
>         CONFIG_PANEL_LG,
>         LCD_GEN_CNTL_LG,
>         DSTN_CONTROL_LG,
>         HFB_PITCH_ADDR_LG,
>         HORZ_STRETCHING_LG,
>         VERT_STRETCHING_LG,
>         0, /* EXT_VERT_STRETCH */
>         LT_GIO_LG,
>         POWER_MANAGEMENT_LG
> };

We can pad this array with zeroes, as a stop-gap measure. Ville, what do
you think?

Tony

> 
> void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
> {
>         if (M64_HAS(LT_LCD_REGS)) {
>                 aty_st_le32(lt_lcd_regs[index], val, par);
> ...
> }
> ...
> u32 aty_ld_lcd(int index, const struct atyfb_par *par)
> {
>         if (M64_HAS(LT_LCD_REGS)) {
>                 return aty_ld_le32(lt_lcd_regs[index], par);
> ...
> }
> ...
> static int aty_bl_update_status(struct backlight_device *bd)
> {
>         struct atyfb_par *par = class_get_devdata(&bd->class_dev);
>         unsigned int reg = aty_ld_lcd(LCD_MISC_CNTL, par);
> ...
>         aty_st_lcd(LCD_MISC_CNTL, reg, par);
> 
>         return 0;
> }
> ...
> 
> <--  snip  -->
> 
> LCD_MISC_CNTL = 0x14 = 20 > 8
> 
> cu
> Adrian
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: drivers/video/aty/atyfb_base.c: array overruns
  2007-03-31  1:23 ` Antonino A. Daplas
@ 2007-03-31 14:25   ` syrjala
  0 siblings, 0 replies; 3+ messages in thread
From: syrjala @ 2007-03-31 14:25 UTC (permalink / raw)
  To: Antonino A. Daplas; +Cc: Adrian Bunk, Richard Purdie, linux-kernel

On Sat, Mar 31, 2007 at 09:23:29AM +0800, Antonino A. Daplas wrote:
> On Mon, 2007-03-19 at 10:22 +0100, Adrian Bunk wrote:
> > The Coverity checker spotted the following two array overruns in 
> > drivers/video/aty/atyfb_base.c:
> > 
> > <--  snip  -->
> > 
> > ...
> > static const u32 lt_lcd_regs[] = {
> >         CONFIG_PANEL_LG,
> >         LCD_GEN_CNTL_LG,
> >         DSTN_CONTROL_LG,
> >         HFB_PITCH_ADDR_LG,
> >         HORZ_STRETCHING_LG,
> >         VERT_STRETCHING_LG,
> >         0, /* EXT_VERT_STRETCH */
> >         LT_GIO_LG,
> >         POWER_MANAGEMENT_LG
> > };
> 
> We can pad this array with zeroes, as a stop-gap measure. Ville, what do
> you think?

Actually this array overrun can never happen. LCD_MISC_CNTL is accessed
in the in the pmac backlight code and the backlight device is not
registered for the Rage LT chip (only user of lt_lcd_regs[]).

> > 
> > void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
> > {
> >         if (M64_HAS(LT_LCD_REGS)) {
> >                 aty_st_le32(lt_lcd_regs[index], val, par);
> > ...
> > }
> > ...
> > u32 aty_ld_lcd(int index, const struct atyfb_par *par)
> > {
> >         if (M64_HAS(LT_LCD_REGS)) {
> >                 return aty_ld_le32(lt_lcd_regs[index], par);
> > ...
> > }
> > ...
> > static int aty_bl_update_status(struct backlight_device *bd)
> > {
> >         struct atyfb_par *par = class_get_devdata(&bd->class_dev);
> >         unsigned int reg = aty_ld_lcd(LCD_MISC_CNTL, par);
> > ...
> >         aty_st_lcd(LCD_MISC_CNTL, reg, par);
> > 
> >         return 0;
> > }
> > ...
> > 
> > <--  snip  -->
> > 
> > LCD_MISC_CNTL = 0x14 = 20 > 8
> > 
> > cu
> > Adrian
> > 
> 

-- 
Ville Syrjälä
syrjala@sci.fi
http://www.sci.fi/~syrjala/

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2007-03-31 14:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-03-19  9:22 drivers/video/aty/atyfb_base.c: array overruns Adrian Bunk
2007-03-31  1:23 ` Antonino A. Daplas
2007-03-31 14:25   ` syrjala

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).