Bug 42677
| Summary: | drivers/dma/iop-adma.c: Buffer access out-of-bounds | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | David Binderman (dcb314) |
| Component: | Other | Assignee: | drivers_other |
| Status: | CLOSED CODE_FIX | ||
| Severity: | normal | CC: | alan, cath_bugz, florian |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 3.3-rc1 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
A patch referencing this bug report has been merged in Linux v3.4-rc3: commit 3d9ea9e3af048ab6b8dced15248384e548ba05ea Author: Don Morris <don.morris@hp.com> Date: Thu Mar 15 11:07:30 2012 -0700 iop-adma: Corrected array overflow in RAID6 Xscale(R) test. |
I just tried out cppcheck-1.52 on the linux-3.3-rc1 source code. It said [drivers/dma/iop-adma.c:1359]: (error) Buffer access out-of-bounds: pq_src [drivers/dma/iop-adma.c:1391]: (error) Buffer access out-of-bounds: pq_src The source code is for (i = 0; i < IOP_ADMA_NUM_SRC_TEST + 2; i++) pq_src[i] = dma_map_page(dev, pq[i], 0, PAGE_SIZE, DMA_TO_DEVICE); So arrays pq_src and pq have to have the same number of elements. But struct page *pq[IOP_ADMA_NUM_SRC_TEST+2+2]; and dma_addr_t pq_src[IOP_ADMA_NUM_SRC_TEST]; so pq has four more elements in it. Suggest code rework.