On Wed, Mar 13, 2024 at 02:12:52PM +0000, Avri Altman wrote:
-----Original Message----- From: mikko.rapeli@linaro.org mikko.rapeli@linaro.org Sent: Wednesday, March 13, 2024 3:38 PM To: linux-mmc@vger.kernel.org Cc: Mikko Rapeli mikko.rapeli@linaro.org; Avri Altman Avri.Altman@wdc.com; Ulf Hansson ulf.hansson@linaro.org; Adrian Hunter adrian.hunter@intel.com; stable@vger.kernel.org Subject: [PATCH 2/2] mmc core block.c: avoid negative index with array access
CAUTION: This email originated from outside of Western Digital. Do not click on links or open attachments unless you recognize the sender and know that the content is safe.
From: Mikko Rapeli mikko.rapeli@linaro.org
Commit "mmc: core: Use mrq.sbc in close-ended ffu" assigns prev_idata = idatas[i - 1] but doesn't check that int iterator i is greater than zero. Add the check.
I don't think this is even possible given 1/2.
With RPMB ioctl:
case MMC_DRV_OP_IOCTL_RPMB: idata = mq_rq->drv_op_data; for (i = 0, ret = 0; i < mq_rq->ioc_count; i++) { ret = __mmc_blk_ioctl_cmd(card, md, idata, i); if (ret) break; }
First call is with i = 0?
I meant bogus MMC_BLK_IOC_SBC should not happened any more. Anyway, that's fine - let's keep it also.
Cheers,
-Mikko
Thanks, Avri
Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu")
Link: https://lore.kernel.org/all/20231129092535.3278-1- avri.altman@wdc.com/
Cc: Avri Altman avri.altman@wdc.com Cc: Ulf Hansson ulf.hansson@linaro.org Cc: Adrian Hunter adrian.hunter@intel.com Cc: linux-mmc@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Mikko Rapeli mikko.rapeli@linaro.org
Reviewed-by: Avri Altman avri.altman@wdc.com
drivers/mmc/core/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index 0df627de9cee..7f275b4ca9fa 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -488,7 +488,7 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md, if (idata->flags & MMC_BLK_IOC_DROP) return 0;
if (idata->flags & MMC_BLK_IOC_SBC)
if (idata->flags & MMC_BLK_IOC_SBC && i > 0) prev_idata = idatas[i - 1]; /*
-- 2.34.1