Re: [CHECKER] 24 more buffer overruns in 2.5.48

From: Alan Cox (alan@lxorguk.ukuu.org.uk)
Date: Thu Jan 02 2003 - 20:53:36 EST

Next message: Alan Cox: "Re: [PATCH] TCP Zero Copy for mmapped files"
Previous message: Lionel Bouton: "Re: UDMA 133 on a 40 pin cable"
In reply to: Andy Chou: "[CHECKER] 24 more buffer overruns in 2.5.48"
Next in thread: Andy Chou: "Re: [CHECKER] 24 more buffer overruns in 2.5.48"
Reply: Andy Chou: "Re: [CHECKER] 24 more buffer overruns in 2.5.48"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> [BUG] Possibly the caller's fault.
> /u1/acc/linux/2.5.48/drivers/ide/ide-lib.c:380:ide_get_best_pio_mode: ERROR:BUFFER:380:380:Array bounds error: ide_pio_timings[6] indexed with [255] [Callstack: /u1/acc/linux/2.5.48/drivers/ide/legacy/qd65xx.c:272:ide_get_best_pio_mode(_, _, 255, _)]
> pio_mode = max_mode;
> cycle_time = 0;
> }
> if (d) {
> d->pio_mode = pio_mode;
>
> Error --->
> d->cycle_time = cycle_time ? cycle_time : ide_pio_timings[pio_mode].cycle_time;
> d->use_iordy = use_iordy;
> d->overridden = overridden;
> d->blacklisted = blacklisted;

I can't construct a scenario in which this can occur.

> ---------------------------------------------------------
> [BUG] Bug in caller.
> /u1/acc/linux/2.5.48/drivers/media/video/bt856.c:100:bt856_setbit: ERROR:BUFFER:100:100:Array bounds error: dev->reg[128] indexed with [220] [Callstack: /u1/acc/linux/2.5.48/drivers/media/video/bt856.c:146:bt856_setbit(<len=160, off=0>, 220, 3, 1)]
> return i2c_probe(adap, &addr_data , bt856_attach);
> }
>
> static int bt856_setbit(struct bt856 *dev, int subaddr, int bit, int data)
> {
>
> Error --->
> return i2c_smbus_write_byte_data(dev->client, subaddr,(dev->reg[subaddr] & ~(1 << bit)) | (data ? (1 << bit) : 0));
> }

Yep. Looks like a conversion error

> [BUG] Loop should be while(n < nbytes)?

Looks more like it needs if bytes%3 -> ERROR check

> [BUG] [GEM] The caller is probably at fault: look at the call chain.
> /u1/acc/linux/2.5.48/drivers/video/fbgen.c:180:do_install_cmap: ERROR:BUFFER:180:180:Array bounds error: fb_display[63] indexed with [-1] [Callstack: /u1/acc/linux/2.5.48/drivers/video/aty128fb.c:1746:aty128fb_set_var(_, -1, _) -> /u1/acc/linux/2.5.48/drivers/video/aty128fb.c:1406:do_install_cmap(-1, _)]
>
> void do_install_cmap(int con, struct fb_info *info)
> {
> if (con != info->currcon)
> return;

currcon can never be -1. I don't think the compiler can ever deduce that
detail though.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: [PATCH] TCP Zero Copy for mmapped files"
Previous message: Lionel Bouton: "Re: UDMA 133 on a 40 pin cable"
In reply to: Andy Chou: "[CHECKER] 24 more buffer overruns in 2.5.48"
Next in thread: Andy Chou: "Re: [CHECKER] 24 more buffer overruns in 2.5.48"
Reply: Andy Chou: "Re: [CHECKER] 24 more buffer overruns in 2.5.48"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Jan 07 2003 - 22:00:19 EST