Bug 42677 - drivers/dma/iop-adma.c: Buffer access out-of-bounds
Summary: drivers/dma/iop-adma.c: Buffer access out-of-bounds
Status: CLOSED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-28 10:18 UTC by David Binderman
Modified: 2012-06-13 15:14 UTC (History)
3 users (show)

See Also:
Kernel Version: 3.3-rc1
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Binderman 2012-01-28 10:18:49 UTC 
I just tried out cppcheck-1.52 on the linux-3.3-rc1 source code.

It said

[drivers/dma/iop-adma.c:1359]: (error) Buffer access out-of-bounds: pq_src
[drivers/dma/iop-adma.c:1391]: (error) Buffer access out-of-bounds: pq_src

The source code is

    for (i = 0; i < IOP_ADMA_NUM_SRC_TEST + 2; i++)
        pq_src[i] = dma_map_page(dev, pq[i], 0, PAGE_SIZE,
                     DMA_TO_DEVICE);

So arrays pq_src and pq have to have the same number of elements. 
But

    struct page *pq[IOP_ADMA_NUM_SRC_TEST+2+2];

and

    dma_addr_t pq_src[IOP_ADMA_NUM_SRC_TEST];

so pq has four more elements in it. Suggest code rework.
Comment 1 Florian Mickler 2012-04-16 21:16:42 UTC 
A patch referencing this bug report has been merged in Linux v3.4-rc3:

commit 3d9ea9e3af048ab6b8dced15248384e548ba05ea
Author: Don Morris <don.morris@hp.com>
Date:   Thu Mar 15 11:07:30 2012 -0700

    iop-adma: Corrected array overflow in RAID6 Xscale(R) test.
Note You need to log in before you can comment on or make changes to this bug.