[PATCH][V2] backlight: sky81452: insure while loop does not allow negative array indexing
From: Colin Ian King colin.king@canonical.com
In the unlikely event that num_entry is zero, the while loop pre-decrements num_entry to cause negative array indexing into the array sources. Fix this by iterating only if num_entry >= 0.
Addresses-Coverity: ("Out-of-bounds read") Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") Signed-off-by: Colin Ian King colin.king@canonical.com ---
V2: fix typo in commit subject line
--- drivers/video/backlight/sky81452-backlight.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c index 2355f00f5773..f456930ce78e 100644 --- a/drivers/video/backlight/sky81452-backlight.c +++ b/drivers/video/backlight/sky81452-backlight.c @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( }
pdata->enable = 0; - while (--num_entry) + while (--num_entry >= 0) pdata->enable |= (1 << sources[num_entry]); }
hi all, i would suggest converting this in to a more common for() loop. Programmers are bad in counting backwards. that kind of bug is common.
re, wh ________________________________________ Von: kernel-janitors-owner@vger.kernel.org kernel-janitors-owner@vger.kernel.org im Auftrag von Colin King colin.king@canonical.com Gesendet: Mittwoch, 26. Februar 2020 20:58 An: Lee Jones; Daniel Thompson; Jingoo Han; Bartlomiej Zolnierkiewicz; Gyungoh Yoo; Bryan Wu; dri-devel@lists.freedesktop.org; linux-fbdev@vger.kernel.org Cc: kernel-janitors@vger.kernel.org; linux-kernel@vger.kernel.org Betreff: [PATCH][V2] backlight: sky81452: insure while loop does not allow negative array indexing
From: Colin Ian King colin.king@canonical.com
In the unlikely event that num_entry is zero, the while loop pre-decrements num_entry to cause negative array indexing into the array sources. Fix this by iterating only if num_entry >= 0.
Addresses-Coverity: ("Out-of-bounds read") Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") Signed-off-by: Colin Ian King colin.king@canonical.com ---
V2: fix typo in commit subject line
--- drivers/video/backlight/sky81452-backlight.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c index 2355f00f5773..f456930ce78e 100644 --- a/drivers/video/backlight/sky81452-backlight.c +++ b/drivers/video/backlight/sky81452-backlight.c @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( }
pdata->enable = 0; - while (--num_entry) + while (--num_entry >= 0) pdata->enable |= (1 << sources[num_entry]);
int i; for(i=0;i<num_entry;i++) pdata->enable |= (1 << sources[i]);
}
-- 2.25.0
On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote:
From: Colin Ian King colin.king@canonical.com
In the unlikely event that num_entry is zero, the while loop pre-decrements num_entry to cause negative array indexing into the array sources. Fix this by iterating only if num_entry >= 0.
Addresses-Coverity: ("Out-of-bounds read") Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") Signed-off-by: Colin Ian King colin.king@canonical.com
V2: fix typo in commit subject line
Isn't the correct spelling "ensure"?
drivers/video/backlight/sky81452-backlight.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c index 2355f00f5773..f456930ce78e 100644 --- a/drivers/video/backlight/sky81452-backlight.c +++ b/drivers/video/backlight/sky81452-backlight.c @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( }
pdata->enable = 0;
while (--num_entry)
while (--num_entry >= 0) pdata->enable |= (1 << sources[num_entry]);
This look still looks buggy to me (so I'd second Walter's request to change it to a for loop). If the code genuinely does not contain a bug then it probably needs a prominent comment explaining why it is correct not to honour sources[0]!
Daniel.
On Thu, Feb 27, 2020 at 11:46:23AM +0000, Daniel Thompson wrote:
On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote:
From: Colin Ian King colin.king@canonical.com
In the unlikely event that num_entry is zero, the while loop pre-decrements num_entry to cause negative array indexing into the array sources. Fix this by iterating only if num_entry >= 0.
Addresses-Coverity: ("Out-of-bounds read") Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") Signed-off-by: Colin Ian King colin.king@canonical.com
V2: fix typo in commit subject line
Isn't the correct spelling "ensure"?
drivers/video/backlight/sky81452-backlight.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c index 2355f00f5773..f456930ce78e 100644 --- a/drivers/video/backlight/sky81452-backlight.c +++ b/drivers/video/backlight/sky81452-backlight.c @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( }
pdata->enable = 0;
while (--num_entry)
while (--num_entry >= 0) pdata->enable |= (1 << sources[num_entry]);This look still looks buggy to me (so I'd second Walter's request to change it to a for loop). If the code genuinely does not contain a bug then it probably needs a prominent comment explaining why it is correct not to honour sources[0]!
Ignore the "still looks buggy". A mental mis-step when switching contexts...
I think my English is still correct though ;-)
Daniel.
On 27/02/2020 11:46, Daniel Thompson wrote:
On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote:
From: Colin Ian King colin.king@canonical.com
In the unlikely event that num_entry is zero, the while loop pre-decrements num_entry to cause negative array indexing into the array sources. Fix this by iterating only if num_entry >= 0.
Addresses-Coverity: ("Out-of-bounds read") Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") Signed-off-by: Colin Ian King colin.king@canonical.com
V2: fix typo in commit subject line
Isn't the correct spelling "ensure"?
It is. V1 is correct after all. Doh.
drivers/video/backlight/sky81452-backlight.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c index 2355f00f5773..f456930ce78e 100644 --- a/drivers/video/backlight/sky81452-backlight.c +++ b/drivers/video/backlight/sky81452-backlight.c @@ -200,7 +200,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( }
pdata->enable = 0;
while (--num_entry)
while (--num_entry >= 0) pdata->enable |= (1 << sources[num_entry]);This look still looks buggy to me (so I'd second Walter's request to change it to a for loop). If the code genuinely does not contain a bug then it probably needs a prominent comment explaining why it is correct not to honour sources[0]!
Daniel.
On Thu, Feb 27, 2020 at 03:10:43PM +0000, Colin Ian King wrote:
On 27/02/2020 11:46, Daniel Thompson wrote:
On Wed, Feb 26, 2020 at 07:58:26PM +0000, Colin King wrote:
From: Colin Ian King colin.king@canonical.com
In the unlikely event that num_entry is zero, the while loop pre-decrements num_entry to cause negative array indexing into the array sources. Fix this by iterating only if num_entry >= 0.
Addresses-Coverity: ("Out-of-bounds read") Fixes: f705806c9f35 ("backlight: Add support Skyworks SKY81452 backlight driver") Signed-off-by: Colin Ian King colin.king@canonical.com
V2: fix typo in commit subject line
Isn't the correct spelling "ensure"?
It is. V1 is correct after all. Doh.
It wasn't spelt "ensure" in v1...
Daniel.
dri-devel@lists.freedesktop.org
-
Colin Ian King -
Colin King
-
Daniel Thompson -
Walter Harms