fw.c:973 iwl_mvm_get_ppag_table() error: buffer overflow 'gain' 11 <= 21

kernel test robot Mon, 19 Jul 2021 23:12:39 -0700

CC: [email protected]
CC: [email protected]
TO: Luca Coelho <[email protected]>


tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   2734d6c1b1a089fb593ef6a23d4b70903526fe0c
commit: 5a6842455c113920001df83cffa28accceeb0927 iwlwifi: mvm: fix the type we 
use in the PPAG table validity checks
date:   5 months ago
:::::: branch date: 32 hours ago
:::::: commit date: 5 months ago
config: x86_64-randconfig-m001-20210720 (attached as .config)
compiler: gcc-10 (Ubuntu 10.3.0-1ubuntu1~20.04) 10.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>

New smatch warnings:
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:973 iwl_mvm_get_ppag_table() error: 
buffer overflow 'gain' 11 <= 21

Old smatch warnings:
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:665 iwl_run_init_mvm_ucode() error: 
we previously assumed 'mvm->nvm_data' could be null (see line 653)
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:976 iwl_mvm_get_ppag_table() error: 
buffer overflow 'gain' 11 <= 11
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:977 iwl_mvm_get_ppag_table() error: 
buffer overflow 'gain' 11 <= 11
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:979 iwl_mvm_get_ppag_table() error: 
buffer overflow 'gain' 11 <= 21
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:980 iwl_mvm_get_ppag_table() error: 
buffer overflow 'gain' 11 <= 21
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:1038 iwl_mvm_ppag_send_cmd() error: 
buffer overflow 'gain' 11 <= 21
drivers/net/wireless/intel/iwlwifi/mvm/fw.c:1495 iwl_mvm_up() warn: missing 
error code 'ret'

vim +/gain +973 drivers/net/wireless/intel/iwlwifi/mvm/fw.c

a6bff3cb19b7d5 Haim Dreyfuss 2017-01-19  894  
6ce1e5c0c207d9 Gil Adam      2019-06-16  895  static int 
iwl_mvm_get_ppag_table(struct iwl_mvm *mvm)
6ce1e5c0c207d9 Gil Adam      2019-06-16  896  {
6ce1e5c0c207d9 Gil Adam      2019-06-16  897    union acpi_object *wifi_pkg, 
*data, *enabled;
f2134f66f40e3f Gil Adam      2020-09-24  898    union iwl_ppag_table_cmd 
ppag_table;
f2134f66f40e3f Gil Adam      2020-09-24  899    int i, j, ret, tbl_rev, 
num_sub_bands;
6ce1e5c0c207d9 Gil Adam      2019-06-16  900    int idx = 2;
f2134f66f40e3f Gil Adam      2020-09-24  901    s8 *gain;
6ce1e5c0c207d9 Gil Adam      2019-06-16  902  
f2134f66f40e3f Gil Adam      2020-09-24  903    /*
f2134f66f40e3f Gil Adam      2020-09-24  904     * The 'enabled' field is the 
same in v1 and v2 so we can just
f2134f66f40e3f Gil Adam      2020-09-24  905     * use v1 to access it.
f2134f66f40e3f Gil Adam      2020-09-24  906     */
f2134f66f40e3f Gil Adam      2020-09-24  907    mvm->fwrt.ppag_table.v1.enabled 
= cpu_to_le32(0);
6ce1e5c0c207d9 Gil Adam      2019-06-16  908    data = 
iwl_acpi_get_object(mvm->dev, ACPI_PPAG_METHOD);
6ce1e5c0c207d9 Gil Adam      2019-06-16  909    if (IS_ERR(data))
6ce1e5c0c207d9 Gil Adam      2019-06-16  910            return PTR_ERR(data);
6ce1e5c0c207d9 Gil Adam      2019-06-16  911  
f2134f66f40e3f Gil Adam      2020-09-24  912    /* try to read ppag table 
revision 1 */
6ce1e5c0c207d9 Gil Adam      2019-06-16  913    wifi_pkg = 
iwl_acpi_get_wifi_pkg(mvm->dev, data,
f2134f66f40e3f Gil Adam      2020-09-24  914                                    
 ACPI_PPAG_WIFI_DATA_SIZE_V2, &tbl_rev);
f2134f66f40e3f Gil Adam      2020-09-24  915    if (!IS_ERR(wifi_pkg)) {
f2134f66f40e3f Gil Adam      2020-09-24  916            if (tbl_rev != 1) {
f2134f66f40e3f Gil Adam      2020-09-24  917                    ret = -EINVAL;
6ce1e5c0c207d9 Gil Adam      2019-06-16  918                    goto out_free;
6ce1e5c0c207d9 Gil Adam      2019-06-16  919            }
f2134f66f40e3f Gil Adam      2020-09-24  920            num_sub_bands = 
IWL_NUM_SUB_BANDS_V2;
f2134f66f40e3f Gil Adam      2020-09-24  921            gain = 
mvm->fwrt.ppag_table.v2.gain[0];
f2134f66f40e3f Gil Adam      2020-09-24  922            mvm->fwrt.ppag_ver = 2;
f2134f66f40e3f Gil Adam      2020-09-24  923            IWL_DEBUG_RADIO(mvm, 
"Reading PPAG table v2 (tbl_rev=1)\n");
f2134f66f40e3f Gil Adam      2020-09-24  924            goto read_table;
f2134f66f40e3f Gil Adam      2020-09-24  925    }
6ce1e5c0c207d9 Gil Adam      2019-06-16  926  
f2134f66f40e3f Gil Adam      2020-09-24  927    /* try to read ppag table 
revision 0 */
f2134f66f40e3f Gil Adam      2020-09-24  928    wifi_pkg = 
iwl_acpi_get_wifi_pkg(mvm->dev, data,
f2134f66f40e3f Gil Adam      2020-09-24  929                                    
 ACPI_PPAG_WIFI_DATA_SIZE, &tbl_rev);
f2134f66f40e3f Gil Adam      2020-09-24  930    if (!IS_ERR(wifi_pkg)) {
3ed83da39aed27 Luca Coelho   2019-08-23  931            if (tbl_rev != 0) {
3ed83da39aed27 Luca Coelho   2019-08-23  932                    ret = -EINVAL;
3ed83da39aed27 Luca Coelho   2019-08-23  933                    goto out_free;
3ed83da39aed27 Luca Coelho   2019-08-23  934            }
f2134f66f40e3f Gil Adam      2020-09-24  935            num_sub_bands = 
IWL_NUM_SUB_BANDS;
f2134f66f40e3f Gil Adam      2020-09-24  936            gain = 
mvm->fwrt.ppag_table.v1.gain[0];
f2134f66f40e3f Gil Adam      2020-09-24  937            mvm->fwrt.ppag_ver = 1;
f2134f66f40e3f Gil Adam      2020-09-24  938            IWL_DEBUG_RADIO(mvm, 
"Reading PPAG table v1 (tbl_rev=0)\n");
f2134f66f40e3f Gil Adam      2020-09-24  939            goto read_table;
f2134f66f40e3f Gil Adam      2020-09-24  940    }
f2134f66f40e3f Gil Adam      2020-09-24  941    ret = PTR_ERR(wifi_pkg);
f2134f66f40e3f Gil Adam      2020-09-24  942    goto out_free;
3ed83da39aed27 Luca Coelho   2019-08-23  943  
f2134f66f40e3f Gil Adam      2020-09-24  944  read_table:
6ce1e5c0c207d9 Gil Adam      2019-06-16  945    enabled = 
&wifi_pkg->package.elements[1];
6ce1e5c0c207d9 Gil Adam      2019-06-16  946    if (enabled->type != 
ACPI_TYPE_INTEGER ||
6ce1e5c0c207d9 Gil Adam      2019-06-16  947        (enabled->integer.value != 
0 && enabled->integer.value != 1)) {
6ce1e5c0c207d9 Gil Adam      2019-06-16  948            ret = -EINVAL;
6ce1e5c0c207d9 Gil Adam      2019-06-16  949            goto out_free;
6ce1e5c0c207d9 Gil Adam      2019-06-16  950    }
6ce1e5c0c207d9 Gil Adam      2019-06-16  951  
f2134f66f40e3f Gil Adam      2020-09-24  952    ppag_table.v1.enabled = 
cpu_to_le32(enabled->integer.value);
f2134f66f40e3f Gil Adam      2020-09-24  953    if (!ppag_table.v1.enabled) {
6ce1e5c0c207d9 Gil Adam      2019-06-16  954            ret = 0;
6ce1e5c0c207d9 Gil Adam      2019-06-16  955            goto out_free;
6ce1e5c0c207d9 Gil Adam      2019-06-16  956    }
6ce1e5c0c207d9 Gil Adam      2019-06-16  957  
6ce1e5c0c207d9 Gil Adam      2019-06-16  958    /*
6ce1e5c0c207d9 Gil Adam      2019-06-16  959     * read, verify gain values and 
save them into the PPAG table.
6ce1e5c0c207d9 Gil Adam      2019-06-16  960     * first sub-band (j=0) 
corresponds to Low-Band (2.4GHz), and the
6ce1e5c0c207d9 Gil Adam      2019-06-16  961     * following sub-bands to 
High-Band (5GHz).
6ce1e5c0c207d9 Gil Adam      2019-06-16  962     */
f2134f66f40e3f Gil Adam      2020-09-24  963    for (i = 0; i < 
IWL_NUM_CHAIN_LIMITS; i++) {
f2134f66f40e3f Gil Adam      2020-09-24  964            for (j = 0; j < 
num_sub_bands; j++) {
6ce1e5c0c207d9 Gil Adam      2019-06-16  965                    union 
acpi_object *ent;
6ce1e5c0c207d9 Gil Adam      2019-06-16  966  
6ce1e5c0c207d9 Gil Adam      2019-06-16  967                    ent = 
&wifi_pkg->package.elements[idx++];
5a6842455c1139 Luca Coelho   2021-02-10  968                    if (ent->type 
!= ACPI_TYPE_INTEGER) {
6ce1e5c0c207d9 Gil Adam      2019-06-16  969                            ret = 
-EINVAL;
6ce1e5c0c207d9 Gil Adam      2019-06-16  970                            goto 
out_free;
6ce1e5c0c207d9 Gil Adam      2019-06-16  971                    }
5a6842455c1139 Luca Coelho   2021-02-10  972  
f2134f66f40e3f Gil Adam      2020-09-24 @973                    gain[i * 
num_sub_bands + j] = ent->integer.value;
5a6842455c1139 Luca Coelho   2021-02-10  974  
5a6842455c1139 Luca Coelho   2021-02-10  975                    if ((j == 0 &&
5a6842455c1139 Luca Coelho   2021-02-10  976                         (gain[i * 
num_sub_bands + j] > ACPI_PPAG_MAX_LB ||
5a6842455c1139 Luca Coelho   2021-02-10  977                          gain[i * 
num_sub_bands + j] < ACPI_PPAG_MIN_LB)) ||
5a6842455c1139 Luca Coelho   2021-02-10  978                        (j != 0 &&
5a6842455c1139 Luca Coelho   2021-02-10  979                         (gain[i * 
num_sub_bands + j] > ACPI_PPAG_MAX_HB ||
5a6842455c1139 Luca Coelho   2021-02-10  980                          gain[i * 
num_sub_bands + j] < ACPI_PPAG_MIN_HB))) {
5a6842455c1139 Luca Coelho   2021-02-10  981                            
ppag_table.v1.enabled = cpu_to_le32(0);
5a6842455c1139 Luca Coelho   2021-02-10  982                            ret = 
-EINVAL;
5a6842455c1139 Luca Coelho   2021-02-10  983                            goto 
out_free;
5a6842455c1139 Luca Coelho   2021-02-10  984                    }
6ce1e5c0c207d9 Gil Adam      2019-06-16  985            }
6ce1e5c0c207d9 Gil Adam      2019-06-16  986    }
6ce1e5c0c207d9 Gil Adam      2019-06-16  987    ret = 0;
6ce1e5c0c207d9 Gil Adam      2019-06-16  988  out_free:
6ce1e5c0c207d9 Gil Adam      2019-06-16  989    kfree(data);
6ce1e5c0c207d9 Gil Adam      2019-06-16  990    return ret;
6ce1e5c0c207d9 Gil Adam      2019-06-16  991  }
6ce1e5c0c207d9 Gil Adam      2019-06-16  992  

:::::: The code at line 973 was first introduced by commit
:::::: f2134f66f40e3f74104562a4eb6c607601dcfa83 iwlwifi: acpi: support ppag 
table command v2

:::::: TO: Gil Adam <[email protected]>
:::::: CC: Luca Coelho <[email protected]>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

.config.gz
Description: application/gzip

_______________________________________________
kbuild mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[kbuild] drivers/net/wireless/intel/iwlwifi/mvm/fw.c:973 iwl_mvm_get_ppag_table() error: buffer overflow 'gain' 11 <= 21

Reply via email to