RE: [PATCH 2/2] mmc core block.c: avoid negative index with array access

Avri Altman <Avri.Altman@xxxxxxx> · Wed, 13 Mar 2024 14:24:01 +0000



> 
> On Wed, Mar 13, 2024 at 02:12:52PM +0000, Avri Altman wrote:
> > > -----Original Message-----
> > > From: mikko.rapeli@xxxxxxxxxx <mikko.rapeli@xxxxxxxxxx>
> > > Sent: Wednesday, March 13, 2024 3:38 PM
> > > To: linux-mmc@xxxxxxxxxxxxxxx
> > > Cc: Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>; Avri Altman
> > > <Avri.Altman@xxxxxxx>; Ulf Hansson <ulf.hansson@xxxxxxxxxx>; Adrian
> > > Hunter <adrian.hunter@xxxxxxxxx>; stable@xxxxxxxxxxxxxxx
> > > Subject: [PATCH 2/2] mmc core block.c: avoid negative index with
> > > array access
> > >
> > > CAUTION: This email originated from outside of Western Digital. Do
> > > not click on links or open attachments unless you recognize the
> > > sender and know that the content is safe.
> > >
> > >
> > > From: Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>
> > >
> > > Commit "mmc: core: Use mrq.sbc in close-ended ffu" assigns
> > > prev_idata = idatas[i - 1] but doesn't check that int iterator i is
> > > greater than zero. Add the check.
> > I don't think this is even possible given 1/2.
> 
> With RPMB ioctl:
> 
>         case MMC_DRV_OP_IOCTL_RPMB:
>                 idata = mq_rq->drv_op_data;
>                 for (i = 0, ret = 0; i < mq_rq->ioc_count; i++) {
>                         ret = __mmc_blk_ioctl_cmd(card, md, idata, i);
>                         if (ret)
>                                 break;
>                 }
> 
> First call is with i = 0?
I meant bogus MMC_BLK_IOC_SBC should not happened any more.
Anyway, that's fine - let's keep it also.

> 
> Cheers,
> 
> -Mikko
> 
> > Thanks,
> > Avri
> >
> > >
> > > Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu")
> > >
> > > Link: https://lore.kernel.org/all/20231129092535.3278-1-
> > > avri.altman@xxxxxxx/
> > >
> > > Cc: Avri Altman <avri.altman@xxxxxxx>
> > > Cc: Ulf Hansson <ulf.hansson@xxxxxxxxxx>
> > > Cc: Adrian Hunter <adrian.hunter@xxxxxxxxx>
> > > Cc: linux-mmc@xxxxxxxxxxxxxxx
> > > Cc: stable@xxxxxxxxxxxxxxx
> > > Signed-off-by: Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>
Reviewed-by: Avri Altman <avri.altman@xxxxxxx>


> > > ---
> > >  drivers/mmc/core/block.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > index 0df627de9cee..7f275b4ca9fa 100644
> > > --- a/drivers/mmc/core/block.c
> > > +++ b/drivers/mmc/core/block.c
> > > @@ -488,7 +488,7 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card
> > > *card, struct mmc_blk_data *md,
> > >         if (idata->flags & MMC_BLK_IOC_DROP)
> > >                 return 0;
> > >
> > > -       if (idata->flags & MMC_BLK_IOC_SBC)
> > > +       if (idata->flags & MMC_BLK_IOC_SBC && i > 0)
> > >                 prev_idata = idatas[i - 1];
> > >
> > >         /*
> > > --
> > > 2.34.1
> >