CC: [email protected] BCC: [email protected] CC: [email protected] TO: Martin Faltesek <[email protected]> CC: Jakub Kicinski <[email protected]> CC: Guenter Roeck <[email protected]> CC: Krzysztof Kozlowski <[email protected]>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3 commit: f2e19b36593caed4c977c2f55aeba7408aeb2132 nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION date: 4 days ago :::::: branch date: 5 hours ago :::::: commit date: 4 days ago config: i386-randconfig-m031-20220613 (https://download.01.org/0day-ci/archive/20220613/[email protected]/config) compiler: gcc-11 (Debian 11.3.0-3) 11.3.0 If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> New smatch warnings: drivers/nfc/st21nfca/se.c:343 st21nfca_connectivity_event_received() warn: possible spectre second half. 'params_len' Old smatch warnings: drivers/nfc/st21nfca/se.c:337 st21nfca_connectivity_event_received() warn: potential spectre issue 'skb->data' [r] vim +/params_len +343 drivers/nfc/st21nfca/se.c 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 291 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 292 /* 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 293 * Returns: 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 294 * <= 0: driver handled the event, skb consumed 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 295 * 1: driver does not handle the event, please do standard processing 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 296 */ 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 297 int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 298 u8 event, struct sk_buff *skb) 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 299 { 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 300 int r = 0; 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 301 struct device *dev = &hdev->ndev->dev; 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 302 struct nfc_evt_transaction *transaction; f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 303 u32 aid_len; f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 304 u8 params_len; 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 305 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 306 pr_debug("connectivity gate event: %x\n", event); 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 307 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 308 switch (event) { 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 309 case ST21NFCA_EVT_CONNECTIVITY: 72c54c42b29439 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-12-23 310 r = nfc_se_connectivity(hdev->ndev, host); 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 311 break; 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 312 case ST21NFCA_EVT_TRANSACTION: f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 313 /* According to specification etsi 102 622 9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 314 * 11.2.2.4 EVT_TRANSACTION Table 52 9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 315 * Description Tag Length 9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 316 * AID 81 5 to 16 9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 317 * PARAMETERS 82 0 to 255 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 318 * f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 319 * The key differences are aid storage length is variably sized f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 320 * in the packet, but fixed in nfc_evt_transaction, and that the aid_len f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 321 * is u8 in the packet, but u32 in the structure, and the tags in f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 322 * the packet are not included in nfc_evt_transaction. f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 323 * f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 324 * size in bytes: 1 1 5-16 1 1 0-255 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 325 * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 326 * member name: aid_tag(M) aid_len aid params_tag(M) params_len params f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 327 * example: 0x81 5-16 X 0x82 0-255 X 9dbe776338e7f9 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-03-31 328 */ f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 329 if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 330 return -EPROTO; 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 331 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 332 aid_len = skb->data[1]; 4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 333 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 334 if (skb->len < aid_len + 4 || aid_len > sizeof(transaction->aid)) f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 335 return -EPROTO; 4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 336 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 337 params_len = skb->data[aid_len + 3]; 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 338 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 339 /* Verify PARAMETERS tag is (82), and final check that there is enough f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 340 * space in the packet to read everything. f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 341 */ f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 342 if ((skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG) || f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 @343 (skb->len < aid_len + 4 + params_len)) 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 344 return -EPROTO; 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 345 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 346 transaction = devm_kzalloc(dev, sizeof(*transaction) + params_len, GFP_KERNEL); f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 347 if (!transaction) f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 348 return -ENOMEM; 4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 349 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 350 transaction->aid_len = aid_len; f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 351 transaction->params_len = params_len; 4fbcc1a4cb20fe drivers/nfc/st21nfca/se.c Jordy Zomer 2022-01-11 352 f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 353 memcpy(transaction->aid, &skb->data[2], aid_len); f2e19b36593cae drivers/nfc/st21nfca/se.c Martin Faltesek 2022-06-06 354 memcpy(transaction->params, &skb->data[aid_len + 4], params_len); 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 355 26fc6c7f02cb26 drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-02-01 356 r = nfc_se_transaction(hdev->ndev, host, transaction); 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 357 break; 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 358 default: a9e062d0599f49 drivers/nfc/st21nfca/se.c Christophe Ricard 2015-10-25 359 nfc_err(&hdev->ndev->dev, "Unexpected event on connectivity gate\n"); 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 360 return 1; 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 361 } 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 362 kfree_skb(skb); 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 363 return r; 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 364 } 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 365 EXPORT_SYMBOL(st21nfca_connectivity_event_received); 2130fb97fecf9a drivers/nfc/st21nfca/st21nfca_se.c Christophe Ricard 2015-01-27 366 -- 0-DAY CI Kernel Test Service https://01.org/lkp _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
