Re: [PATCH] ARM: dma-mapping: fix out of bounds access in CMA

Tue, 23 Mar 2021 06:30:06 -0700 

On Tue, Mar 23, 2021 at 02:14:13PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <a...@arndb.de>
> 
> Dereferencing a zero-length array is always a bug, and we get a warning
> with 'make W=1' here:
> 
> arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup':
> arch/arm/mm/dma-mapping.c:395:15: error: array subscript <unknown> is outside 
> array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
>   395 |  dma_mmu_remap[dma_mmu_remap_num].base = base;
>       |  ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap'
>   389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] 
> __initdata;
>       |                                        ^~~~~~~~~~~~~
> arch/arm/mm/dma-mapping.c:396:15: error: array subscript <unknown> is outside 
> array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds]
> 
> Add a runtime check to prevent this from happening, while also
> avoiding the compile-time warning.
> 
> Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem")
> Signed-off-by: Arnd Bergmann <a...@arndb.de>
> ---
>  arch/arm/mm/dma-mapping.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index c4b8df2ad328..af29344fb150 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata;
>  
>  void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
>  {
> +     if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) {
> +             WARN_ONCE(1, "number of CMA areas\n");
> +             return;
> +     }
> +

What if dma_mmu_remap_num were negative - that condition is not checked
and will also result in an overflow of the array. If we're being fussy
enough to bounds check, we ought to do it properly.

So, I think a better solution would be to make dma_mmu_remap_num an
unsigned int, and then to use:

        if (dma_mmu_remap_num >= ARRAY_SIZE(dma_mmu_remap)) {
                ...
        }

which is really the condition we're after here.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!

Reply via email to