[PATCH net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()

[PATCH net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()

[Dan Carpenter]

The bounds check on "index" doesn't catch negative values.  Using
ARRAY_SIZE() directly is more readable and more robust because it prevents
negative values for "index".  Fortunately we only pass valid values to
ipc_chnl_cfg_get() so this patch does not affect runtime.


Reported-by: Solomon Ucko <solly.ucko@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I suspect this is bug report was based on static analysis.  I had a
Smatch check that used to print a warning, but then I modified it to
only complain when the index was user controlled.

 drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c b/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
index 804e6c4f2c78..016c9c3aea8e 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
@@ -64,10 +64,9 @@ static struct ipc_chnl_cfg modem_cfg[] = {
 
 int ipc_chnl_cfg_get(struct ipc_chnl_cfg *chnl_cfg, int index)
 {
-	int array_size = ARRAY_SIZE(modem_cfg);
-
-	if (index >= array_size) {
-		pr_err("index: %d and array_size %d", index, array_size);
+	if (index >= ARRAY_SIZE(modem_cfg)) {
+		pr_err("index: %d and array_size %lu", index,
+		       ARRAY_SIZE(modem_cfg));
 		return -ECHRNG;
 	}
 
-- 
2.20.1

RE: [PATCH net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()

[Kumar, M Chetan]

Hi Dan,

> +++ b/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
> @@ -64,10 +64,9 @@ static struct ipc_chnl_cfg modem_cfg[] = {
> 
>  int ipc_chnl_cfg_get(struct ipc_chnl_cfg *chnl_cfg, int index)  {
> -	int array_size = ARRAY_SIZE(modem_cfg);
> -
> -	if (index >= array_size) {
> -		pr_err("index: %d and array_size %d", index, array_size);
> +	if (index >= ARRAY_SIZE(modem_cfg)) {
> +		pr_err("index: %d and array_size %lu", index,

array_size is removed so please change array_size in pr_err to array size (remove _).

Also change in pr_err array size format "%lu" is throwing warning [1] in 32bit env.

[1]
                 from ../drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c:6:
../drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c: In function 'ipc_chnl_cfg_get':
../include/linux/kern_levels.h:5:18: warning: format '%lu' expects argument of type
 'long unsigned int', but argument 3 has type 'unsigned int' [-Wformat=]

Regards,
Chetan

[PATCH v2 net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()

[Dan Carpenter]

The bounds check on "index" doesn't catch negative values.  Using
ARRAY_SIZE() directly is more readable and more robust because it prevents
negative values for "index".  Fortunately we only pass valid values to
ipc_chnl_cfg_get() so this patch does not affect runtime.


Reported-by: Solomon Ucko <solly.ucko@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Remove underscore between "array" and "size".
    Use %zu print format specifier to fix a compile warning on 32 bit.

 drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c b/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
index 804e6c4f2c78..016c9c3aea8e 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
@@ -64,10 +64,9 @@ static struct ipc_chnl_cfg modem_cfg[] = {
 
 int ipc_chnl_cfg_get(struct ipc_chnl_cfg *chnl_cfg, int index)
 {
-	int array_size = ARRAY_SIZE(modem_cfg);
-
-	if (index >= array_size) {
-		pr_err("index: %d and array_size %d", index, array_size);
+	if (index >= ARRAY_SIZE(modem_cfg)) {
+		pr_err("index: %d and array size %zu", index,
+		       ARRAY_SIZE(modem_cfg));
 		return -ECHRNG;
 	}
 
-- 
2.20.1

RE: [PATCH v2 net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()

[Kumar, M Chetan]

> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Sent: Monday, August 16, 2021 4:44 PM
> To: Kumar, M Chetan <m.chetan.kumar@intel.com>; Solomon Ucko
> <solly.ucko@gmail.com>
> Cc: linuxwwan <linuxwwan@intel.com>; Loic Poulain
> <loic.poulain@linaro.org>; Sergey Ryazanov <ryazanov.s.a@gmail.com>;
> Johannes Berg <johannes@sipsolutions.net>; David S. Miller
> <davem@davemloft.net>; Jakub Kicinski <kuba@kernel.org>;
> netdev@vger.kernel.org; security@kernel.org
> Subject: [PATCH v2 net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()
> 
> The bounds check on "index" doesn't catch negative values.  Using
> ARRAY_SIZE() directly is more readable and more robust because it prevents
> negative values for "index".  Fortunately we only pass valid values to
> ipc_chnl_cfg_get() so this patch does not affect runtime.
> 
> 
> Reported-by: Solomon Ucko <solly.ucko@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: Remove underscore between "array" and "size".
>     Use %zu print format specifier to fix a compile warning on 32 bit.
> 
>  drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)

Reviewed-by: M Chetan Kumar <m.chetan.kumar@intel.com>

Re: [PATCH v2 net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Mon, 16 Aug 2021 14:13:33 +0300 you wrote:
> The bounds check on "index" doesn't catch negative values.  Using
> ARRAY_SIZE() directly is more readable and more robust because it prevents
> negative values for "index".  Fortunately we only pass valid values to
> ipc_chnl_cfg_get() so this patch does not affect runtime.
> 
> 
> Reported-by: Solomon Ucko <solly.ucko@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> [...]

Here is the summary with links:
  - [v2,net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()
    https://git.kernel.org/netdev/net/c/4f3f2e3fa043

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html