lightnvm: fix out-of-bounds write to array devices->info[]

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

There is an off-by-one array check that can lead to a out-of-bounds
write to devices->info[i]. Fix this by checking by using >= rather
than > for the size check. Also replace hard-coded array size limit
with ARRAY_SIZE on the array.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: cd9e9808d18f ("lightnvm: Support for Open-Channel SSDs")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Colin Ian King and committed by

Jens Axboe 5 years ago a48faebe 87aac3a8

+3 -2

1 changed file

expand all

drivers

lightnvm

core.c

+3 -2

drivers/lightnvm/core.c

··· 1311 1311 strlcpy(info->bmname, "gennvm", sizeof(info->bmname)); 1312 1312 i++; 1313 1313 1314 - if (i > 31) { 1315 - pr_err("max 31 devices can be reported.\n"); 1314 + if (i >= ARRAY_SIZE(devices->info)) { 1315 + pr_err("max %zd devices can be reported.\n", 1316 + ARRAY_SIZE(devices->info)); 1316 1317 break; 1317 1318 } 1318 1319 }