From b7f0ee3cde0e2cbeca0928b4a724f607dbca4b00 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Sat, 25 Jul 2020 14:21:25 +0000 Subject: [PATCH] qla2x00t-32gbit: Fix a Coverity complaint in qla2100_fw_dump() 'cnt' can exceed the size of the risc_ram[] array. Prevent that Coverity complains by rewriting an address calculation expression. This patch fixes the following Coverity complaint: CID 337803 (#1 of 1): Out-of-bounds read (OVERRUN) 109. overrun-local: Overrunning array of 122880 bytes at byte offset 122880 by dereferencing pointer &fw->risc_ram[cnt]. Link: https://lore.kernel.org/r/20200629225454.22863-8-bvanassche@acm.org Cc: Nilesh Javali Cc: Quinn Tran Cc: Himanshu Madhani Cc: Martin Wilck Cc: Roman Bolshakov Reviewed-by: Daniel Wagner Reviewed-by: Himanshu Madhani Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen See also commit 57fec9f24e580d8fe4219ee89572f49758e62c75 upstream. git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@9068 d57e44dd-8a1f-0410-8b47-8ef2f437770f --- qla2x00t-32gbit/qla_dbg.c | 2 +- qla2x00t-32gbit/qla_dbg.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/qla2x00t-32gbit/qla_dbg.c b/qla2x00t-32gbit/qla_dbg.c index 19005710f..41493bd53 100644 --- a/qla2x00t-32gbit/qla_dbg.c +++ b/qla2x00t-32gbit/qla_dbg.c @@ -1063,7 +1063,7 @@ qla2100_fw_dump(scsi_qla_host_t *vha) } if (rval == QLA_SUCCESS) - qla2xxx_copy_queues(ha, &fw->risc_ram[cnt]); + qla2xxx_copy_queues(ha, &fw->queue_dump[0]); qla2xxx_dump_post_process(base_vha, rval); } diff --git a/qla2x00t-32gbit/qla_dbg.h b/qla2x00t-32gbit/qla_dbg.h index 54ed020e6..91eb69018 100644 --- a/qla2x00t-32gbit/qla_dbg.h +++ b/qla2x00t-32gbit/qla_dbg.h @@ -53,6 +53,7 @@ struct qla2100_fw_dump { __be16 fpm_b0_reg[64]; __be16 fpm_b1_reg[64]; __be16 risc_ram[0xf000]; + u8 queue_dump[]; }; struct qla24xx_fw_dump {