firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The scmi_linux_errmap buffer access index is supposed to depend on the
array size to prevent element out of bounds access. It uses SCMI_ERR_MAX
to check bounds but that can mismatch with the array size. It also
changes the success into -EIO though scmi_linux_errmap is never used in
case of success, it is expected to work for success case too.

It is slightly confusing code as the negative of the error code
is used as index to the buffer. Fix it by negating it at the start and
make it more readable.

Link: https://lore.kernel.org/r/20210707135028.1869642-1-sudeep.holla@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>

Sudeep Holla 4 years ago 7a691f16 5e469dac

+4 -3

1 changed file

expand all

drivers

firmware

arm_scmi

driver.c

+4 -3

drivers/firmware/arm_scmi/driver.c

··· 47 47 SCMI_ERR_GENERIC = -8, /* Generic Error */ 48 48 SCMI_ERR_HARDWARE = -9, /* Hardware Error */ 49 49 SCMI_ERR_PROTOCOL = -10,/* Protocol Error */ 50 - SCMI_ERR_MAX 51 50 }; 52 51 53 52 /* List of all SCMI devices active in system */ ··· 165 166 166 167 static inline int scmi_to_linux_errno(int errno) 167 168 { 168 - if (errno < SCMI_SUCCESS && errno > SCMI_ERR_MAX) 169 - return scmi_linux_errmap[-errno]; 169 + int err_idx = -errno; 170 + 171 + if (err_idx >= SCMI_SUCCESS && err_idx < ARRAY_SIZE(scmi_linux_errmap)) 172 + return scmi_linux_errmap[err_idx]; 170 173 return -EIO; 171 174 } 172 175

Configure Feed

Configure Feed