tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

NTB: EPF: Tidy up some bounds checks

This sscanf() is reading from the filename which was set by the kernel
so it should be trust worthy. Although the data is likely trust worthy
there is some bounds checking but unfortunately, it is not complete or
consistent. Additionally, the Smatch static checker marks everything
that comes from sscanf() as tainted and so Smatch complains that this
code can lead to an out of bounds issue. Let's clean things up and make
Smatch happy.

The first problem is that there is no bounds checking in the _show()
functions. The _store() and _show() functions are very similar so make
the bounds checking the same in both.

The second issue is that if "win_no" is zero it leads to an array
underflow so add an if (win_no <= 0) check for that.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Souptick Joarder (HPE) <jrdr.linux@gmail.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>

authored by

Dan Carpenter and committed by
Jon Mason b8c0aa9b 3305f43c

+9 -2
+9 -2
drivers/pci/endpoint/functions/pci-epf-vntb.c
··· 831 831 { \ 832 832 struct config_group *group = to_config_group(item); \ 833 833 struct epf_ntb *ntb = to_epf_ntb(group); \ 834 + struct device *dev = &ntb->epf->dev; \ 834 835 int win_no; \ 835 836 \ 836 - sscanf(#_name, "mw%d", &win_no); \ 837 + if (sscanf(#_name, "mw%d", &win_no) != 1) \ 838 + return -EINVAL; \ 839 + \ 840 + if (win_no <= 0 || win_no > ntb->num_mws) { \ 841 + dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \ 842 + return -EINVAL; \ 843 + } \ 837 844 \ 838 845 return sprintf(page, "%lld\n", ntb->mws_size[win_no - 1]); \ 839 846 } ··· 863 856 if (sscanf(#_name, "mw%d", &win_no) != 1) \ 864 857 return -EINVAL; \ 865 858 \ 866 - if (ntb->num_mws < win_no) { \ 859 + if (win_no <= 0 || win_no > ntb->num_mws) { \ 867 860 dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \ 868 861 return -EINVAL; \ 869 862 } \