[lvc-project] [PATCH v2] staging: vme_user: Validate geoid value used for VME window address

Aleksandr Mishin amishin at t-argos.ru
Tue Jun 25 12:58:04 MSK 2024


The address of VME window is either set by jumpers (VME64) or derived from
the slot number (geographical addressing, VME64x) with the formula:
address = slot# * 0x80000
https://indico.cern.ch/event/68278/contributions/1234555/attachments/
1024465/1458672/VMEbus.pdf

slot# value can be set from module parameter 'geoid' which can contain any
value. In this case the value of an arithmetic expression 'slot# * 0x80000'
is a subject to overflow because its operands are not cast to a larger data
type before performing arithmetic.

Validate the provided geoid value using the Geographic Addr Mask.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
Suggested-by: Dan Carpenter <dan.carpenter at linaro.org>
Signed-off-by: Aleksandr Mishin <amishin at t-argos.ru>
---
v1->v2: Move geoid validation to the probe() function as suggested by Dan

 drivers/staging/vme_user/vme_tsi148.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/vme_user/vme_tsi148.c b/drivers/staging/vme_user/vme_tsi148.c
index 2ec9c2904404..e7fcbc3f4348 100644
--- a/drivers/staging/vme_user/vme_tsi148.c
+++ b/drivers/staging/vme_user/vme_tsi148.c
@@ -2448,12 +2448,17 @@ static int tsi148_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 	data = ioread32be(tsi148_device->base + TSI148_LCSR_VSTAT);
 	dev_info(&pdev->dev, "Board is%s the VME system controller\n",
 		(data & TSI148_LCSR_VSTAT_SCONS) ? "" : " not");
-	if (!geoid)
+	if (!geoid) {
 		dev_info(&pdev->dev, "VME geographical address is %d\n",
 			data & TSI148_LCSR_VSTAT_GA_M);
-	else
+	} else if (geoid & ~TSI148_LCSR_VSTAT_GA_M) {
+		dev_err(&pdev->dev, "VME geographical address is out of range\n");
+		retval = -EINVAL;
+		goto err_crcsr;
+	} else {
 		dev_info(&pdev->dev, "VME geographical address is set to %d\n",
 			geoid);
+	}
 
 	dev_info(&pdev->dev, "VME Write and flush and error check is %s\n",
 		err_chk ? "enabled" : "disabled");
-- 
2.30.2




More information about the lvc-project mailing list