Message ID | 20230602085546.376086-1-d.dulov@aladdin.ru |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp892646vqr; Fri, 2 Jun 2023 02:13:53 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7e0tCi9Vxf7xdXquMj6FwDkKUEnvopPB0XyF6xGJqI5R4PM3FJeDNjNPSonmAGuBiH7TUc X-Received: by 2002:a05:6a20:43a2:b0:10a:a0e1:96fa with SMTP id i34-20020a056a2043a200b0010aa0e196famr8153860pzl.22.1685697232852; Fri, 02 Jun 2023 02:13:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685697232; cv=none; d=google.com; s=arc-20160816; b=sQ7BJOa+DH/CcYW4k6KpZGFTP1PCm6OrICpprsMac7nYSwta9zyeZjvTijHlzYyHsB GHAe7YJDKgZmkQLFuzw75oq8Fmswxo6gkGKIZ1yyjtGctCSLiqWGtlYjnEcgnqS7qao/ 4OUAKx0q3xTHs8iQJOSGDOgV+mnEKObRYm0wL/r0QvmyprS2aM277gjj2XORFxKwGpeB F1Lutdua+t2rGOJP6V/wr5JLJmwbIZJpJnqSsQMaeAVPqvPc5oemm+3QJfdIfuuprY+k Fk9Tj8X4gXgFy2lWapKpZtcJ221TX5iE0xKhedSlvRPMo/kyaHUQOLJU6maRXDtYvfXG xBSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=0EW4q+l4tJr6iOg12Tei5XHVBbkzj3F/wFek7YoioTM=; b=iH8j3Yl0z7Rv2WeLVfXktVEt92XsE1gDnDEToPFLhvCak8Ymui6F8qCyMt6aVBywJa c9OE523uSdlNKLB3O401RDOS5tGCA6ZcbC1hEHJNnyAGF39iZRcnuF+rMwjf4L3ZUaKI Hw9FHXhaIOHqwKhPoXsdXTTxhL9+CDf6KLYaoyfhWj79pIW2dDOMmXfWhLok5lnHwA98 k9epvsQC7hWCjYf7tOiix7nK4RlVhVP0bTKrOKilzxclB21/4DVm+LRTtce8FJ4lriYH 0VCosAxNbyvfTKtb9cui1TTZua6VCOKH+2WoGNaaihK8UMr7j4Y5RdTQo3SBR8kkKdP9 if8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t24-20020a639558000000b0053ff4cf95bbsi650906pgn.764.2023.06.02.02.13.39; Fri, 02 Jun 2023 02:13:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235114AbjFBJMt (ORCPT <rfc822;limurcpp@gmail.com> + 99 others); Fri, 2 Jun 2023 05:12:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35496 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234833AbjFBJMW (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Fri, 2 Jun 2023 05:12:22 -0400 X-Greylist: delayed 903 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Fri, 02 Jun 2023 02:10:57 PDT Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15F50E5F; Fri, 2 Jun 2023 02:10:57 -0700 (PDT) From: Daniil Dulov <d.dulov@aladdin.ru> To: Zhang Rui <rui.zhang@intel.com> CC: Daniil Dulov <d.dulov@aladdin.ru>, Daniel Lezcano <daniel.lezcano@linaro.org>, Amit Kucheria <amitk@kernel.org>, "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Chen Yu <yu.c.chen@intel.com>, Sasha Levin <sashal@kernel.org>, Arjan van de Ven <arjan@linux.intel.com>, Jacob Pan <jacob.jun.pan@linux.intel.com>, <linux-pm@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org> Subject: [PATCH] thermal: intel_powerclamp: Check for a possible array out of bounds access. Date: Fri, 2 Jun 2023 01:55:46 -0700 Message-ID: <20230602085546.376086-1-d.dulov@aladdin.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.0.20.125] X-ClientProxiedBy: EXCH-2016-02.aladdin.ru (192.168.1.102) To EXCH-2016-01.aladdin.ru (192.168.1.101) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1767581661352594488?= X-GMAIL-MSGID: =?utf-8?q?1767581661352594488?= |
Series |
thermal: intel_powerclamp: Check for a possible array out of bounds access.
|
|
Commit Message
Daniil Dulov
June 2, 2023, 8:55 a.m. UTC
ratio may be equal to MAX_TARGET_RATIO - 1 that will result in
out of bound access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d6d71ee4a14a ("PM: Introduce Intel PowerClamp Driver")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
drivers/thermal/intel/intel_powerclamp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
Cc list trimmed. On Fri, Jun 2, 2023 at 11:12 AM Daniil Dulov <d.dulov@aladdin.ru> wrote: > > ratio may be equal to MAX_TARGET_RATIO - 1 that will result in > out of bound access. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: d6d71ee4a14a ("PM: Introduce Intel PowerClamp Driver") > Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> > --- > drivers/thermal/intel/intel_powerclamp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c > index fb04470d7d4b..9deaf2b8ccf6 100644 > --- a/drivers/thermal/intel/intel_powerclamp.c > +++ b/drivers/thermal/intel/intel_powerclamp.c > @@ -277,7 +277,8 @@ static unsigned int get_compensation(int ratio) > comp = (cal_data[ratio].steady_comp + > cal_data[ratio - 1].steady_comp + > cal_data[ratio - 2].steady_comp) / 3; > - } else if (cal_data[ratio].confidence >= CONFIDENCE_OK && > + } else if (ratio < MAX_TARGET_RATIO - 1 && > + cal_data[ratio].confidence >= CONFIDENCE_OK && > cal_data[ratio - 1].confidence >= CONFIDENCE_OK && > cal_data[ratio + 1].confidence >= CONFIDENCE_OK) { > comp = (cal_data[ratio].steady_comp + > -- Rui, Srinivas, can you have a look at this, please?
On Sun, 2023-06-04 at 18:13 +0200, Rafael J. Wysocki wrote: > Cc list trimmed. > > On Fri, Jun 2, 2023 at 11:12 AM Daniil Dulov <d.dulov@aladdin.ru> > wrote: > > > > ratio may be equal to MAX_TARGET_RATIO - 1 that will result in > > out of bound access. > > The description was not clear to me. May be something like this: " The max value of "ratio" parameter passed to the function get_compensation() is MAX_TARGET_RATIO - 1. The size of cal_data array is MAX_TARGET_RATIO. Hence, accessing cal_data[ratio + 1], will result in out of bound access. Add a condition to check ratio < MAX_TARGET_RATIO - 1, before accsssing cal_data[ratio + 1]. " The change is correct. But for actual code change, the ratio < MAX_TARGET_RATIO - 1 is also checked in else if() before, which can be merged to check only once for this condition. Thanks, Srinivas > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > > > Fixes: d6d71ee4a14a ("PM: Introduce Intel PowerClamp Driver") > > Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> > > --- > > drivers/thermal/intel/intel_powerclamp.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/thermal/intel/intel_powerclamp.c > > b/drivers/thermal/intel/intel_powerclamp.c > > index fb04470d7d4b..9deaf2b8ccf6 100644 > > --- a/drivers/thermal/intel/intel_powerclamp.c > > +++ b/drivers/thermal/intel/intel_powerclamp.c > > @@ -277,7 +277,8 @@ static unsigned int get_compensation(int ratio) > > comp = (cal_data[ratio].steady_comp + > > cal_data[ratio - 1].steady_comp + > > cal_data[ratio - 2].steady_comp) / 3; > > - } else if (cal_data[ratio].confidence >= CONFIDENCE_OK && I think the concern is that cal_data[ratio + 1] is going out of bound for the "ratio" passed to this function, when ratio == ARRAY_SIZE(cal_data) - 1; Here size of cal_data array is 50. The max possible "ratio" passed can be 49. > > + } else if (ratio < MAX_TARGET_RATIO - 1 && > > + cal_data[ratio].confidence >= CONFIDENCE_OK && > > cal_data[ratio - 1].confidence >= CONFIDENCE_OK && > > cal_data[ratio + 1].confidence >= CONFIDENCE_OK) { > > comp = (cal_data[ratio].steady_comp + > > -- > > Rui, Srinivas, can you have a look at this, please?
diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c index fb04470d7d4b..9deaf2b8ccf6 100644 --- a/drivers/thermal/intel/intel_powerclamp.c +++ b/drivers/thermal/intel/intel_powerclamp.c @@ -277,7 +277,8 @@ static unsigned int get_compensation(int ratio) comp = (cal_data[ratio].steady_comp + cal_data[ratio - 1].steady_comp + cal_data[ratio - 2].steady_comp) / 3; - } else if (cal_data[ratio].confidence >= CONFIDENCE_OK && + } else if (ratio < MAX_TARGET_RATIO - 1 && + cal_data[ratio].confidence >= CONFIDENCE_OK && cal_data[ratio - 1].confidence >= CONFIDENCE_OK && cal_data[ratio + 1].confidence >= CONFIDENCE_OK) { comp = (cal_data[ratio].steady_comp +