On 4/14/2021 3:46 AM, Zhang, Tianfei wrote:
>
>
>> -----Original Message-----
>> From: Aaron Conole <acon...@redhat.com>
>> Sent: 2021年4月9日 22:56
>> To: Yigit, Ferruh <ferruh.yi...@intel.com>
>> Cc: David Marchand <david.march...@redhat.com>; sta...@dpdk.org;
>> Zhang, Tianfei <tianfei.zh...@intel.com>; Huang, Wei
>> <wei.hu...@intel.com>; Zhang, Qi Z <qi.z.zh...@intel.com>; Xu, Rosen
>> <rosen...@intel.com>; dev@dpdk.org; Mcnamara, John
>> <john.mcnam...@intel.com>
>> Subject: Re: [PATCH v2 1/1] raw/ifpga/base: check size before assigning
>>
>> Ferruh Yigit <ferruh.yi...@intel.com> writes:
>>
>>> On 4/8/2021 9:51 AM, Wei Huang wrote:
>>>> In max10_staging_area_init(), variable "size" from fdt_get_reg() may
>>>> be invalid, it should be checked before assigning to member variable
>>>> "staging_area_size" of structure "intel_max10_device".
>>>>
>>>> Coverity issue: 367480, 367482
>>>> Fixes: 96ebfcf8125c ("raw/ifpga/base: add SPI and MAX10 device
>>>> driver")
>>>>
>>>> Signed-off-by: Wei Huang <wei.hu...@intel.com>
>>>> ---
>>>> v2: check size before assigning to staging_area_size
>>>> ---
>>>> drivers/raw/ifpga/base/opae_intel_max10.c | 2 +-
>>>> drivers/raw/ifpga/base/opae_intel_max10.h | 1 +
>>>> 2 files changed, 2 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c
>>>> b/drivers/raw/ifpga/base/opae_intel_max10.c
>>>> index 443e248fb3..c223fafa03 100644
>>>> --- a/drivers/raw/ifpga/base/opae_intel_max10.c
>>>> +++ b/drivers/raw/ifpga/base/opae_intel_max10.c
>>>> @@ -593,7 +593,7 @@ static int max10_staging_area_init(struct
>> intel_max10_device *dev)
>>>> continue;
>>>> ret = fdt_get_reg(fdt_root, offset, 0, &start, &size);
>>>> -if (!ret) {
>>>> +if (!ret && (size <= MAX_STAGING_AREA_SIZE)) {
>>>> dev->staging_area_base = start;
>>>> dev->staging_area_size = size;
>>>> }
>>>> diff --git a/drivers/raw/ifpga/base/opae_intel_max10.h
>>>> b/drivers/raw/ifpga/base/opae_intel_max10.h
>>>> index 670683f017..e7142d6f0d 100644
>>>> --- a/drivers/raw/ifpga/base/opae_intel_max10.h
>>>> +++ b/drivers/raw/ifpga/base/opae_intel_max10.h
>>>> @@ -182,6 +182,7 @@ struct opae_retimer_status {
>>>> #define SBUS_VERSIONGENMASK(31, 16)
>>>> #define DFT_MAX_SIZE0x7e0000
>>>> +#define MAX_STAGING_AREA_SIZE0x3800000
>>>> int max10_reg_read(struct intel_max10_device *dev,
>>>> unsigned int reg, unsigned int *val);
>>>>
>>>
>>> Hi Aaron, David,
>>>
>>> The data flow is complex for this coverity issues [1], at least I
>>> can't confirm that change fixes the issue.
>>>
>>> Are you aware of any way to confirm this coverity issue before merging it?
>>
>> Not generically. :-/
>>
>> We need someone that understands the data flow and the coverity splat to
>> know that the fix is correct. Coverity even ratelimits how many outstanding
>> submissions we can post, iirc, so we don't get to push patch sets (unless we
>> pay? I don't recall if there's an option for that).
>
> This fix is looks good for me. The fdt_get_reg() function just read out the
> content of some items from DTS file,
> We call the libfdt library API to do this.
> The Coverity just assume some attacker broken the DTS file or invoke the
> function with arbitrary values, it is not safety,
> So this patch add some checking after the function return.
>
Hi Tianfei, Wei, Rosen,
The defect is reported in Coverity, as concerned, can you please look at it?
>>
>>> [1]
>>> https://scan4.coverity.com/reports.htm#v26325/p10075/fileInstanceId=10
>>> 0181086&defectInstanceId=14238477&mergedDefectId=367480
>
