[v2,1/7] i2c: npcm: restore slave addresses array length

Message ID	20240830034640.7049-2-kfting@nuvoton.com
State	New
Headers	show Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7E751369AE; Fri, 30 Aug 2024 03:48:55 +0000 (UTC) From: Tyrone Ting <warp5tw@gmail.com> To: avifishman70@gmail.com, tmaimon77@gmail.com, tali.perry1@gmail.com, venture@google.com, yuenn@google.com, benjaminfair@google.com, andi.shyti@kernel.org, andriy.shevchenko@linux.intel.com, wsa@kernel.org, rand.sec96@gmail.com, wsa+renesas@sang-engineering.com, warp5tw@gmail.com, tali.perry@nuvoton.com, Avi.Fishman@nuvoton.com, tomer.maimon@nuvoton.com, KWLIU@nuvoton.com, JJLIU0@nuvoton.com, kfting@nuvoton.com Cc: openbmc@lists.ozlabs.org, linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/7] i2c: npcm: restore slave addresses array length Date: Fri, 30 Aug 2024 11:46:34 +0800 Message-Id: <20240830034640.7049-2-kfting@nuvoton.com> In-Reply-To: <20240830034640.7049-1-kfting@nuvoton.com> References: <20240830034640.7049-1-kfting@nuvoton.com> Precedence: bulk
Series	[v2,1/7] i2c: npcm: restore slave addresses array length \| expand [v2,1/7] i2c: npcm: restore slave addresses array length [v2,3/7] i2c: npcm: use a software flag to indicate a BER condition [v2,5/7] i2c: npcm: Modify the client address assignment [v2,7/7] i2c: npcm: Enable slave in eob interrupt

Tyrone Ting Aug. 30, 2024, 3:46 a.m. UTC

The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
The original design supports 10 slave addresses although only 2
addresses are required for current implementation.

Restore the npcm_i2caddr array length to fix the smatch warning.

Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
Signed-off-by: Tyrone Ting <kfting@nuvoton.com>
---
 drivers/i2c/busses/i2c-npcm7xx.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Andi Shyti Sept. 5, 2024, 9:23 p.m. UTC | #1

Hi Tyrone,

On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> The original design supports 10 slave addresses although only 2

please remember that the "slave" term has been replaced by the
"target" term. I will change it when applying the patch.

> addresses are required for current implementation.
> 
> Restore the npcm_i2caddr array length to fix the smatch warning.
> 
> Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")

I don't think the Fixes tag is necessary here. This change is
primarily addressing a static analyzer warning. While some cases
come close to a buffer overflow, it couldn’t have occurred in
practice since we don't actually have the devices listed in
npcm_i2caddr[].

> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> Signed-off-by: Tyrone Ting <kfting@nuvoton.com>
> ---
>  drivers/i2c/busses/i2c-npcm7xx.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/i2c/busses/i2c-npcm7xx.c b/drivers/i2c/busses/i2c-npcm7xx.c
> index 2fe68615942e..bbcb4d6668ce 100644
> --- a/drivers/i2c/busses/i2c-npcm7xx.c
> +++ b/drivers/i2c/busses/i2c-npcm7xx.c
> @@ -136,11 +136,13 @@ enum i2c_addr {
>   * Since the addr regs are sprinkled all over the address space,
>   * use this array to get the address or each register.
>   */
> -#define I2C_NUM_OWN_ADDR 2
> +#define I2C_NUM_OWN_ADDR 10
>  #define I2C_NUM_OWN_ADDR_SUPPORTED 2
>  
>  static const int npcm_i2caddr[I2C_NUM_OWN_ADDR] = {
> -	NPCM_I2CADDR1, NPCM_I2CADDR2,
> +	NPCM_I2CADDR1, NPCM_I2CADDR2, NPCM_I2CADDR3, NPCM_I2CADDR4,
> +	NPCM_I2CADDR5, NPCM_I2CADDR6, NPCM_I2CADDR7, NPCM_I2CADDR8,
> +	NPCM_I2CADDR9, NPCM_I2CADDR10,

Looks a bit hacky, but serves the purpose.

The core issue in "npcm_i2c_slave_enable()" is the lack of an
upper boundary check, which could potentially lead to a buffer
overflow. In practice, we rely on the assumption that these
addresses don’t exist in the real world.

An easier fix could have been:

@@ -629,7 +629,7 @@ static int npcm_i2c_slave_enable(struct npcm_i2c *bus, enum i2c_addr addr_type,
        if (addr_type > I2C_SLAVE_ADDR2 && addr_type <= I2C_SLAVE_ADDR10)
                dev_err(bus->dev, "try to enable more than 2 SA not supported\n");

-       if (addr_type >= I2C_ARP_ADDR)
+       if (addr_type > I2C_SLAVE_ADDR2)
                return -EFAULT;

        /* Set and enable the address */

But yours is a bit more robust, so that I'm going to take this
patch.

Reviewed-by: Andi Shyti <andi.shyti@kernel.org>

Thanks,
Andi

>  };
>  #endif
>  
> -- 
> 2.34.1
>

Andi Shyti Sept. 5, 2024, 9:36 p.m. UTC | #2

Hi Tyrone,

On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> The original design supports 10 slave addresses although only 2
> addresses are required for current implementation.
> 
> Restore the npcm_i2caddr array length to fix the smatch warning.
> 
> Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> Signed-off-by: Tyrone Ting <kfting@nuvoton.com>

your email used in From: is different that your e-mail used the
SoB. Is this done in purpose? If so I will keep it as it is, no
problem for me, otherwise I can fix it while applying it.

Andi

Tyrone Ting Sept. 6, 2024, 2:23 a.m. UTC | #3

Hi Andi:

Thank you for your review.

Andi Shyti <andi.shyti@kernel.org> 於 2024年9月6日 週五 上午5:24寫道：
>
> Hi Tyrone,
>
> On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> > The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> > The original design supports 10 slave addresses although only 2
>
> please remember that the "slave" term has been replaced by the
> "target" term. I will change it when applying the patch.
>

Thank you for your reminder. I'll change the term ever since.

> > addresses are required for current implementation.
> >
> > Restore the npcm_i2caddr array length to fix the smatch warning.
> >
> > Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
>
> I don't think the Fixes tag is necessary here. This change is
> primarily addressing a static analyzer warning. While some cases
> come close to a buffer overflow, it couldn’t have occurred in
> practice since we don't actually have the devices listed in
> npcm_i2caddr[].
>

Understood. I'll remove the Fixes tag.

> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> > Signed-off-by: Tyrone Ting <kfting@nuvoton.com>
> > ---
> >  drivers/i2c/busses/i2c-npcm7xx.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/i2c/busses/i2c-npcm7xx.c b/drivers/i2c/busses/i2c-npcm7xx.c
> > index 2fe68615942e..bbcb4d6668ce 100644
> > --- a/drivers/i2c/busses/i2c-npcm7xx.c
> > +++ b/drivers/i2c/busses/i2c-npcm7xx.c
> > @@ -136,11 +136,13 @@ enum i2c_addr {
> >   * Since the addr regs are sprinkled all over the address space,
> >   * use this array to get the address or each register.
> >   */
> > -#define I2C_NUM_OWN_ADDR 2
> > +#define I2C_NUM_OWN_ADDR 10
> >  #define I2C_NUM_OWN_ADDR_SUPPORTED 2
> >
> >  static const int npcm_i2caddr[I2C_NUM_OWN_ADDR] = {
> > -     NPCM_I2CADDR1, NPCM_I2CADDR2,
> > +     NPCM_I2CADDR1, NPCM_I2CADDR2, NPCM_I2CADDR3, NPCM_I2CADDR4,
> > +     NPCM_I2CADDR5, NPCM_I2CADDR6, NPCM_I2CADDR7, NPCM_I2CADDR8,
> > +     NPCM_I2CADDR9, NPCM_I2CADDR10,
>
> Looks a bit hacky, but serves the purpose.
>
> The core issue in "npcm_i2c_slave_enable()" is the lack of an
> upper boundary check, which could potentially lead to a buffer
> overflow. In practice, we rely on the assumption that these
> addresses don’t exist in the real world.
>
> An easier fix could have been:
>
> @@ -629,7 +629,7 @@ static int npcm_i2c_slave_enable(struct npcm_i2c *bus, enum i2c_addr addr_type,
>         if (addr_type > I2C_SLAVE_ADDR2 && addr_type <= I2C_SLAVE_ADDR10)
>                 dev_err(bus->dev, "try to enable more than 2 SA not supported\n");
>
> -       if (addr_type >= I2C_ARP_ADDR)
> +       if (addr_type > I2C_SLAVE_ADDR2)
>                 return -EFAULT;
>
>         /* Set and enable the address */
>
> But yours is a bit more robust, so that I'm going to take this
> patch.
>
> Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
>
> Thanks,
> Andi
>
> >  };
> >  #endif
> >
> > --
> > 2.34.1
> >

Thank you.

Regards,
Tyrone

Tyrone Ting Sept. 6, 2024, 2:28 a.m. UTC | #4

Hi Andy:

Thank you for your comments.

Andi Shyti <andi.shyti@kernel.org> 於 2024年9月6日 週五 上午5:36寫道：
>
> Hi Tyrone,
>
> On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> > The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> > The original design supports 10 slave addresses although only 2
> > addresses are required for current implementation.
> >
> > Restore the npcm_i2caddr array length to fix the smatch warning.
> >
> > Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> > Signed-off-by: Tyrone Ting <kfting@nuvoton.com>
>
> your email used in From: is different that your e-mail used the
> SoB. Is this done in purpose? If so I will keep it as it is, no
> problem for me, otherwise I can fix it while applying it.
>

I'll add the option "--from kfting@nuvoton.com", same as the patch
author's email while using the tool "git send-email"
in the next patch set.

> Andi

Have a nice day.

Thank you.

Regards,
Tyrone

Andi Shyti Sept. 6, 2024, 6:49 a.m. UTC | #5

Hi Tyrone,

On Fri, Sep 06, 2024 at 10:28:30AM GMT, Tyrone Ting wrote:
> Hi Andy:
> 
> Thank you for your comments.
> 
> Andi Shyti <andi.shyti@kernel.org> 於 2024年9月6日 週五 上午5:36寫道：
> >
> > Hi Tyrone,
> >
> > On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> > > The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> > > The original design supports 10 slave addresses although only 2
> > > addresses are required for current implementation.
> > >
> > > Restore the npcm_i2caddr array length to fix the smatch warning.
> > >
> > > Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
> > > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > > Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> > > Signed-off-by: Tyrone Ting <kfting@nuvoton.com>
> >
> > your email used in From: is different that your e-mail used the
> > SoB. Is this done in purpose? If so I will keep it as it is, no
> > problem for me, otherwise I can fix it while applying it.
> >
> 
> I'll add the option "--from kfting@nuvoton.com", same as the patch
> author's email while using the tool "git send-email"
> in the next patch set.

don't worry, I will apply this patch number '1' because it's
independent from the rest of the series. I will do all the
changes you agreed with me.

When you resend this series you don't need to include this patch,
just rebase on top of i2c/i2c-hostp[*].

Thanks,
Andi

[*] git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux.git

> > Andi
> 
> Have a nice day.
> 
> Thank you.
> 
> Regards,
> Tyrone

Andi Shyti Sept. 6, 2024, 7:05 a.m. UTC | #6

Hi Tyrone,

On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> The original design supports 10 slave addresses although only 2
> addresses are required for current implementation.
> 
> Restore the npcm_i2caddr array length to fix the smatch warning.
> 
> Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> Signed-off-by: Tyrone Ting <kfting@nuvoton.com>

with the changes we agreed, I merged just this first patch in
i2c/i2c-host.

Thanks,
Andi

Tyrone Ting Sept. 6, 2024, 8:01 a.m. UTC | #7

Hi Andi:

Thank you for your prompt response and help.

Andi Shyti <andi.shyti@kernel.org> 於 2024年9月6日 週五 下午3:05寫道：
>
> Hi Tyrone,
>
> On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> > The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> > The original design supports 10 slave addresses although only 2
> > addresses are required for current implementation.
> >
> > Restore the npcm_i2caddr array length to fix the smatch warning.
> >
> > Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> > Signed-off-by: Tyrone Ting <kfting@nuvoton.com>
>
> with the changes we agreed, I merged just this first patch in
> i2c/i2c-host.
>
> Thanks,
> Andi

Have a nice day.

Regards,
Tyrone

Andy Shevchenko Sept. 6, 2024, 11:40 a.m. UTC | #8

On Thu, Sep 05, 2024 at 11:36:45PM +0200, Andi Shyti wrote:
> On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> > The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> > The original design supports 10 slave addresses although only 2
> > addresses are required for current implementation.
> > 
> > Restore the npcm_i2caddr array length to fix the smatch warning.
> > 
> > Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> > Signed-off-by: Tyrone Ting <kfting@nuvoton.com>
> 
> your email used in From: is different that your e-mail used the
> SoB. Is this done in purpose? If so I will keep it as it is, no
> problem for me, otherwise I can fix it while applying it.

IIRC Linux Next has the respective check and it will become your problem :-)

[v2,1/7] i2c: npcm: restore slave addresses array length

Commit Message

Comments

Patch