lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Feb 2021 05:34:23 -0600 From: "Gustavo A. R. Silva" <gustavoars@...nel.org> To: Lars Povlsen <lars.povlsen@...rochip.com>, Steen Hegelund <Steen.Hegelund@...rochip.com>, UNGLinuxDriver@...rochip.com, Linus Walleij <linus.walleij@...aro.org> Cc: linux-arm-kernel@...ts.infradead.org, linux-gpio@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: [REPORT][next] pinctrl: pinctrl-microchip-sgpio: out-of-bounds bug in sgpio_clrsetbits() Hi, While addressing some out-of-bounds warnings, I found the following bug: drivers/pinctrl/pinctrl-microchip-sgpio.c:154:57: warning: array subscript 10 is above array bounds of ‘const u8[10]’ {aka ‘const unsigned char[10]’} [-Warray-bounds] The bug was introduced by commit be2dc859abd4 ("pinctrl: pinctrl-microchip-sgpio: Add irq support (for sparx5)"): 575 sgpio_clrsetbits(bank->priv, REG_INT_TRIGGER + SGPIO_MAX_BITS, addr.bit, 576 BIT(addr.port), (!!(type & 0x2)) << addr.port); REG_INT_TRIGGER + SGPIO_MAX_BITS turns out to be 10, which is outside the boundaries of priv->properties->regoff[] at line 154: 151 static inline void sgpio_clrsetbits(struct sgpio_priv *priv, 152 u32 rno, u32 off, u32 clear, u32 set) 153 { 154 u32 __iomem *reg = &priv->regs[priv->properties->regoff[rno] + off]; 155 u32 val = readl(reg); 156 157 val &= ~clear; 158 val |= set; 159 160 writel(val, reg); 161 } because priv->properties->regoff[] is an array of MAXREG elements, with MAXREG representing the value of 10 in the following enum: 28 enum { 29 REG_INPUT_DATA, 30 REG_PORT_CONFIG, 31 REG_PORT_ENABLE, 32 REG_SIO_CONFIG, 33 REG_SIO_CLOCK, 34 REG_INT_POLARITY, 35 REG_INT_TRIGGER, 36 REG_INT_ACK, 37 REG_INT_ENABLE, 38 REG_INT_IDENT, 39 MAXREG 40 }; 52 struct sgpio_properties { 53 int arch; 54 int flags; 55 u8 regoff[MAXREG]; 56 }; Thanks -- Gustavo
Powered by blists - more mailing lists