Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
On 03/13/2017 10:32 AM, Wu, Songjun wrote: > > > On 3/13/2017 17:25, Hans Verkuil wrote: >> On 03/13/2017 06:53 AM, Wu, Songjun wrote: >>> >>> >>> On 3/9/2017 18:57, Hans Verkuil wrote: Hi Songjun, On 08/03/17 03:25, Wu, Songjun wrote: > Hi Colin, > > Thank you for your comment. > It is a bug, will be fixed in the next patch. Do you mean that you will provide a new patch for this? Is there anything wrong with this patch? It seems reasonable to me. >>> Hi Hans, >>> >>> I see this patch is merged in git://linuxtv.org/media_tree.git. >>> So I do not need submit isc-pipeline-v3 patch, just submit the patches, >>> based on the current master branch? >> >> Huh? Where do you see that this patch is merged? I don't see it in the >> media_tree master >> branch. >> > Hi Hans, > > I see this patch on the master branch in media_tree. > https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c ??? That's a link to the source, not a patch. And that source still does <= HIST_ENTRIES. Still confused, Hans > >> Regards, >> >> Hans >> >>> Regards, Hans > > On 3/7/2017 22:30, Colin King wrote: >> From: Colin Ian King>> >> The are only HIST_ENTRIES worth of entries in hist_entry however the >> for-loop is iterating one too many times leasing to a read access off >> the end off the array ctrls->hist_entry. Fix this by iterating by >> the correct number of times. >> >> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >> >> Signed-off-by: Colin Ian King >> --- >> drivers/media/platform/atmel/atmel-isc.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/media/platform/atmel/atmel-isc.c >> b/drivers/media/platform/atmel/atmel-isc.c >> index b380a7d..7dacf8c 100644 >> --- a/drivers/media/platform/atmel/atmel-isc.c >> +++ b/drivers/media/platform/atmel/atmel-isc.c >> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >> >> *hist_count = 0; >> -for (i = 0; i <= HIST_ENTRIES; i++) >> +for (i = 0; i < HIST_ENTRIES; i++) >> *hist_count += i * (*hist_entry++); >> } >> >> >>
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
On 3/13/2017 17:25, Hans Verkuil wrote: On 03/13/2017 06:53 AM, Wu, Songjun wrote: On 3/9/2017 18:57, Hans Verkuil wrote: Hi Songjun, On 08/03/17 03:25, Wu, Songjun wrote: Hi Colin, Thank you for your comment. It is a bug, will be fixed in the next patch. Do you mean that you will provide a new patch for this? Is there anything wrong with this patch? It seems reasonable to me. Hi Hans, I see this patch is merged in git://linuxtv.org/media_tree.git. So I do not need submit isc-pipeline-v3 patch, just submit the patches, based on the current master branch? Huh? Where do you see that this patch is merged? I don't see it in the media_tree master branch. Hi Hans, I see this patch on the master branch in media_tree. https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c Regards, Hans Regards, Hans On 3/7/2017 22:30, Colin King wrote: From: Colin Ian KingThe are only HIST_ENTRIES worth of entries in hist_entry however the for-loop is iterating one too many times leasing to a read access off the end off the array ctrls->hist_entry. Fix this by iterating by the correct number of times. Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") Signed-off-by: Colin Ian King --- drivers/media/platform/atmel/atmel-isc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; -for (i = 0; i <= HIST_ENTRIES; i++) +for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); }
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
On 03/13/2017 06:53 AM, Wu, Songjun wrote: > > > On 3/9/2017 18:57, Hans Verkuil wrote: >> Hi Songjun, >> >> On 08/03/17 03:25, Wu, Songjun wrote: >>> Hi Colin, >>> >>> Thank you for your comment. >>> It is a bug, will be fixed in the next patch. >> >> Do you mean that you will provide a new patch for this? Is there anything >> wrong with this patch? It seems reasonable to me. >> > Hi Hans, > > I see this patch is merged in git://linuxtv.org/media_tree.git. > So I do not need submit isc-pipeline-v3 patch, just submit the patches, > based on the current master branch? Huh? Where do you see that this patch is merged? I don't see it in the media_tree master branch. Regards, Hans > >> Regards, >> >> Hans >> >>> >>> On 3/7/2017 22:30, Colin King wrote: From: Colin Ian KingThe are only HIST_ENTRIES worth of entries in hist_entry however the for-loop is iterating one too many times leasing to a read access off the end off the array ctrls->hist_entry. Fix this by iterating by the correct number of times. Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") Signed-off-by: Colin Ian King --- drivers/media/platform/atmel/atmel-isc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; -for (i = 0; i <= HIST_ENTRIES; i++) +for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); } >>
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
On 3/9/2017 18:57, Hans Verkuil wrote: Hi Songjun, On 08/03/17 03:25, Wu, Songjun wrote: Hi Colin, Thank you for your comment. It is a bug, will be fixed in the next patch. Do you mean that you will provide a new patch for this? Is there anything wrong with this patch? It seems reasonable to me. Hi Hans, I see this patch is merged in git://linuxtv.org/media_tree.git. So I do not need submit isc-pipeline-v3 patch, just submit the patches, based on the current master branch? Regards, Hans On 3/7/2017 22:30, Colin King wrote: From: Colin Ian KingThe are only HIST_ENTRIES worth of entries in hist_entry however the for-loop is iterating one too many times leasing to a read access off the end off the array ctrls->hist_entry. Fix this by iterating by the correct number of times. Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") Signed-off-by: Colin Ian King --- drivers/media/platform/atmel/atmel-isc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; -for (i = 0; i <= HIST_ENTRIES; i++) +for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); }
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
On 3/9/2017 19:50, Colin Ian King wrote: On 09/03/17 11:49, walter harms wrote: Am 09.03.2017 11:57, schrieb Hans Verkuil: Hi Songjun, On 08/03/17 03:25, Wu, Songjun wrote: Hi Colin, Thank you for your comment. It is a bug, will be fixed in the next patch. Do you mean that you will provide a new patch for this? Is there anything wrong with this patch? It seems reasonable to me. Regards, Hans perhaps he will make it a bit more readable, like: *hist_count += i * (*hist_entry++); *hist_count += hist_entry[i]*i; As long as it gets fixed somehow, then I'm happy. You suggestion is very good, I will modify it like this. Thank you. Colin re, wh On 3/7/2017 22:30, Colin King wrote: From: Colin Ian KingThe are only HIST_ENTRIES worth of entries in hist_entry however the for-loop is iterating one too many times leasing to a read access off the end off the array ctrls->hist_entry. Fix this by iterating by the correct number of times. Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") Signed-off-by: Colin Ian King --- drivers/media/platform/atmel/atmel-isc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; -for (i = 0; i <= HIST_ENTRIES; i++) +for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); } -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
Am 09.03.2017 11:57, schrieb Hans Verkuil: > Hi Songjun, > > On 08/03/17 03:25, Wu, Songjun wrote: >> Hi Colin, >> >> Thank you for your comment. >> It is a bug, will be fixed in the next patch. > > Do you mean that you will provide a new patch for this? Is there anything > wrong with this patch? It seems reasonable to me. > > Regards, > > Hans > perhaps he will make it a bit more readable, like: *hist_count += i * (*hist_entry++); *hist_count += hist_entry[i]*i; re, wh >> >> On 3/7/2017 22:30, Colin King wrote: >>> From: Colin Ian King>>> >>> The are only HIST_ENTRIES worth of entries in hist_entry however the >>> for-loop is iterating one too many times leasing to a read access off >>> the end off the array ctrls->hist_entry. Fix this by iterating by >>> the correct number of times. >>> >>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >>> >>> Signed-off-by: Colin Ian King >>> --- >>> drivers/media/platform/atmel/atmel-isc.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/media/platform/atmel/atmel-isc.c >>> b/drivers/media/platform/atmel/atmel-isc.c >>> index b380a7d..7dacf8c 100644 >>> --- a/drivers/media/platform/atmel/atmel-isc.c >>> +++ b/drivers/media/platform/atmel/atmel-isc.c >>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >>> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >>> >>> *hist_count = 0; >>> -for (i = 0; i <= HIST_ENTRIES; i++) >>> +for (i = 0; i < HIST_ENTRIES; i++) >>> *hist_count += i * (*hist_entry++); >>> } >>> >>> > > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
On 09/03/17 11:49, walter harms wrote: > > > Am 09.03.2017 11:57, schrieb Hans Verkuil: >> Hi Songjun, >> >> On 08/03/17 03:25, Wu, Songjun wrote: >>> Hi Colin, >>> >>> Thank you for your comment. >>> It is a bug, will be fixed in the next patch. >> >> Do you mean that you will provide a new patch for this? Is there anything >> wrong with this patch? It seems reasonable to me. >> >> Regards, >> >> Hans >> > > > > perhaps he will make it a bit more readable, like: > > *hist_count += i * (*hist_entry++); > > *hist_count += hist_entry[i]*i; As long as it gets fixed somehow, then I'm happy. Colin > > > re, > wh >>> >>> On 3/7/2017 22:30, Colin King wrote: From: Colin Ian KingThe are only HIST_ENTRIES worth of entries in hist_entry however the for-loop is iterating one too many times leasing to a read access off the end off the array ctrls->hist_entry. Fix this by iterating by the correct number of times. Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") Signed-off-by: Colin Ian King --- drivers/media/platform/atmel/atmel-isc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; -for (i = 0; i <= HIST_ENTRIES; i++) +for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); } >> > > > > >> -- >> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in >> the body of a message to majord...@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >>
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
Hi Songjun, On 08/03/17 03:25, Wu, Songjun wrote: > Hi Colin, > > Thank you for your comment. > It is a bug, will be fixed in the next patch. Do you mean that you will provide a new patch for this? Is there anything wrong with this patch? It seems reasonable to me. Regards, Hans > > On 3/7/2017 22:30, Colin King wrote: >> From: Colin Ian King>> >> The are only HIST_ENTRIES worth of entries in hist_entry however the >> for-loop is iterating one too many times leasing to a read access off >> the end off the array ctrls->hist_entry. Fix this by iterating by >> the correct number of times. >> >> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") >> >> Signed-off-by: Colin Ian King >> --- >> drivers/media/platform/atmel/atmel-isc.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/media/platform/atmel/atmel-isc.c >> b/drivers/media/platform/atmel/atmel-isc.c >> index b380a7d..7dacf8c 100644 >> --- a/drivers/media/platform/atmel/atmel-isc.c >> +++ b/drivers/media/platform/atmel/atmel-isc.c >> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) >> regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); >> >> *hist_count = 0; >> -for (i = 0; i <= HIST_ENTRIES; i++) >> +for (i = 0; i < HIST_ENTRIES; i++) >> *hist_count += i * (*hist_entry++); >> } >> >>
Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
Hi Colin, Thank you for your comment. It is a bug, will be fixed in the next patch. On 3/7/2017 22:30, Colin King wrote: From: Colin Ian KingThe are only HIST_ENTRIES worth of entries in hist_entry however the for-loop is iterating one too many times leasing to a read access off the end off the array ctrls->hist_entry. Fix this by iterating by the correct number of times. Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") Signed-off-by: Colin Ian King --- drivers/media/platform/atmel/atmel-isc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; - for (i = 0; i <= HIST_ENTRIES; i++) + for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); }
[PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue
From: Colin Ian KingThe are only HIST_ENTRIES worth of entries in hist_entry however the for-loop is iterating one too many times leasing to a read access off the end off the array ctrls->hist_entry. Fix this by iterating by the correct number of times. Detected by CoverityScan, CID#1415279 ("Out-of-bounds read") Signed-off-by: Colin Ian King --- drivers/media/platform/atmel/atmel-isc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/atmel/atmel-isc.c b/drivers/media/platform/atmel/atmel-isc.c index b380a7d..7dacf8c 100644 --- a/drivers/media/platform/atmel/atmel-isc.c +++ b/drivers/media/platform/atmel/atmel-isc.c @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc) regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES); *hist_count = 0; - for (i = 0; i <= HIST_ENTRIES; i++) + for (i = 0; i < HIST_ENTRIES; i++) *hist_count += i * (*hist_entry++); } -- 2.10.2