From: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
To: Robert Richter <rrichter@amd.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
kernel test robot <lkp@intel.com>,
Alison Schofield <alison.schofield@intel.com>,
"Vishal Verma" <vishal.l.verma@intel.com>,
Ira Weiny <ira.weiny@intel.com>,
"Dave Jiang" <dave.jiang@intel.com>,
Davidlohr Bueso <dave@stgolabs.net>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
<oe-kbuild-all@lists.linux.dev>,
Linux Memory Management List <linux-mm@kvack.org>,
<linux-cxl@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
Len Brown <lenb@kernel.org>, <linux-acpi@vger.kernel.org>
Subject: Re: [PATCH v5] lib/firmware_table: Provide buffer length argument to cdat_table_parse()
Date: Mon, 19 Feb 2024 12:53:34 +0000 [thread overview]
Message-ID: <20240219125334.000036cd@Huawei.com> (raw)
In-Reply-To: <ZdEnopFO0Tl3t2O1@rric.localdomain>
On Sat, 17 Feb 2024 22:39:46 +0100
Robert Richter <rrichter@amd.com> wrote:
> On 17.02.24 18:43:37, kernel test robot wrote:
> > Hi Robert,
> >
> > kernel test robot noticed the following build warnings:
> >
> > [auto build test WARNING on 6be99530c92c6b8ff7a01903edc42393575ad63b]
> >
> > url: https://github.com/intel-lab-lkp/linux/commits/Robert-Richter/cxl-pci-Rename-DOE-mailbox-handle-to-doe_mb/20240217-000206
> > base: 6be99530c92c6b8ff7a01903edc42393575ad63b
> > patch link: https://lore.kernel.org/r/20240216155844.406996-4-rrichter%40amd.com
> > patch subject: [PATCH v4 3/3] lib/firmware_table: Provide buffer length argument to cdat_table_parse()
> > config: arc-allyesconfig (https://download.01.org/0day-ci/archive/20240217/202402171817.i0WShbft-lkp@intel.com/config)
> > compiler: arceb-elf-gcc (GCC) 13.2.0
> > reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240217/202402171817.i0WShbft-lkp@intel.com/reproduce)
>
> > In file included from include/linux/device.h:15,
> > from drivers/cxl/core/pci.c:5:
> > drivers/cxl/core/pci.c: In function 'read_cdat_data':
> > >> drivers/cxl/core/pci.c:672:31: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'size_t' {aka 'unsigned int'} [-Wformat=]
> > 672 | dev_warn(dev, "Malformed CDAT table length (%lu:%lu), discarding trailing data\n",
> > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Fix below, it basically uses %zu for both format strings.
>
> -Robert
>
>
> From 08685053a91e370fd1263b921aa3e8942025c4e4 Mon Sep 17 00:00:00 2001
> From: Robert Richter <rrichter@amd.com>
> Date: Sun, 7 Jan 2024 18:13:16 +0100
> Subject: [PATCH v5] lib/firmware_table: Provide buffer length argument to
> cdat_table_parse()
>
> There exist card implementations with a CDAT table using a fixed size
> buffer, but with entries filled in that do not fill the whole table
> length size. Then, the last entry in the CDAT table may not mark the
> end of the CDAT table buffer specified by the length field in the CDAT
> header. It can be shorter with trailing unused (zero'ed) data. The
> actual table length is determined while reading all CDAT entries of
> the table with DOE.
>
> If the table is greater than expected (containing zero'ed trailing
> data), the CDAT parser fails with:
>
> [ 48.691717] Malformed DSMAS table length: (24:0)
> [ 48.702084] [CDAT:0x00] Invalid zero length
> [ 48.711460] cxl_port endpoint1: Failed to parse CDAT: -22
>
> In addition, a check of the table buffer length is missing to prevent
> an out-of-bound access then parsing the CDAT table.
>
> Hardening code against device returning borked table. Fix that by
> providing an optional buffer length argument to
> acpi_parse_entries_array() that can be used by cdat_table_parse() to
> propagate the buffer size down to its users to check the buffer
> length. This also prevents a possible out-of-bound access mentioned.
>
> Add a check to warn about a malformed CDAT table length.
>
> Cc: "Rafael J. Wysocki" <rafael@kernel.org>
> Cc: Len Brown <lenb@kernel.org>
> Signed-off-by: Robert Richter <rrichter@amd.com>
> Reviewed-by: Dave Jiang <dave.jiang@intel.com>
> Signed-off-by: Robert Richter <rrichter@amd.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
next prev parent reply other threads:[~2024-02-19 12:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240216155844.406996-4-rrichter@amd.com>
2024-02-17 10:43 ` [PATCH v4 3/3] " kernel test robot
2024-02-17 21:39 ` [PATCH v5] " Robert Richter
2024-02-19 12:53 ` Jonathan Cameron [this message]
2024-02-18 12:58 ` [PATCH v4 3/3] " kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240219125334.000036cd@Huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=alison.schofield@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=ira.weiny@intel.com \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=rafael@kernel.org \
--cc=rrichter@amd.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox