[lvc-project] [PATCH v2] staging: vme_user: Validate geoid value used for VME window address
Aleksandr Mishin
amishin at t-argos.ru
Tue Jun 25 12:58:04 MSK 2024
The address of VME window is either set by jumpers (VME64) or derived from
the slot number (geographical addressing, VME64x) with the formula:
address = slot# * 0x80000
https://indico.cern.ch/event/68278/contributions/1234555/attachments/
1024465/1458672/VMEbus.pdf
slot# value can be set from module parameter 'geoid' which can contain any
value. In this case the value of an arithmetic expression 'slot# * 0x80000'
is a subject to overflow because its operands are not cast to a larger data
type before performing arithmetic.
Validate the provided geoid value using the Geographic Addr Mask.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
Suggested-by: Dan Carpenter <dan.carpenter at linaro.org>
Signed-off-by: Aleksandr Mishin <amishin at t-argos.ru>
---
v1->v2: Move geoid validation to the probe() function as suggested by Dan
drivers/staging/vme_user/vme_tsi148.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/vme_user/vme_tsi148.c b/drivers/staging/vme_user/vme_tsi148.c
index 2ec9c2904404..e7fcbc3f4348 100644
--- a/drivers/staging/vme_user/vme_tsi148.c
+++ b/drivers/staging/vme_user/vme_tsi148.c
@@ -2448,12 +2448,17 @@ static int tsi148_probe(struct pci_dev *pdev, const struct pci_device_id *id)
data = ioread32be(tsi148_device->base + TSI148_LCSR_VSTAT);
dev_info(&pdev->dev, "Board is%s the VME system controller\n",
(data & TSI148_LCSR_VSTAT_SCONS) ? "" : " not");
- if (!geoid)
+ if (!geoid) {
dev_info(&pdev->dev, "VME geographical address is %d\n",
data & TSI148_LCSR_VSTAT_GA_M);
- else
+ } else if (geoid & ~TSI148_LCSR_VSTAT_GA_M) {
+ dev_err(&pdev->dev, "VME geographical address is out of range\n");
+ retval = -EINVAL;
+ goto err_crcsr;
+ } else {
dev_info(&pdev->dev, "VME geographical address is set to %d\n",
geoid);
+ }
dev_info(&pdev->dev, "VME Write and flush and error check is %s\n",
err_chk ? "enabled" : "disabled");
--
2.30.2
More information about the lvc-project
mailing list