[smatch stuff] vme: memory corruption in pio2_gpio_reset()

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Tue, 29 Nov 2011 10:05:35 +0300

Smatch found a memory corruption bug in pio2_gpio_reset() but I'm not
sure what the correct fix is:

drivers/staging/vme/devices/vme_pio2_gpio.c +169 pio2_gpio_reset(24)
	error: buffer overflow 'card->bank' 4 <= 7

   161          /* Set input interrupt masks */
   162          for (i = 0; i < 8; i++) {
   163                  retval = vme_master_write(card->window, &data, 1,
   164                          PIO2_REGS_INT_MASK[i]);

PIO2_REGS_INT_MASK[] has 8 elements.

   165                  if (retval < 0)
   166                          return retval;
   167  
   168                  for (j = 0; j < 8; j++)
   169                          card->bank[i].irq[j] = NONE;
                                ^^^^^^^^^^^^^^^^^^^^
card->bank[] has 4 elements.
card->bank[i].irq[] has 8 elements.

We are inside an 8 by 8 loop so we're writing past the end of the array
here.

   170          }

regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel