| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Feb 2021 05:34:23 -0600
From: "Gustavo A. R. Silva" <gustavoars@...nel.org>
To: Lars Povlsen <lars.povlsen@...rochip.com>,
Steen Hegelund <Steen.Hegelund@...rochip.com>,
UNGLinuxDriver@...rochip.com,
Linus Walleij <linus.walleij@...aro.org>
Cc: linux-arm-kernel@...ts.infradead.org, linux-gpio@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: [REPORT][next] pinctrl: pinctrl-microchip-sgpio: out-of-bounds bug
in sgpio_clrsetbits()
Hi,
While addressing some out-of-bounds warnings, I found the following bug:
drivers/pinctrl/pinctrl-microchip-sgpio.c:154:57: warning: array subscript 10 is above array bounds of ‘const u8[10]’ {aka ‘const unsigned char[10]’} [-Warray-bounds]
The bug was introduced by commit be2dc859abd4 ("pinctrl: pinctrl-microchip-sgpio: Add irq support (for sparx5)"):
575 sgpio_clrsetbits(bank->priv, REG_INT_TRIGGER + SGPIO_MAX_BITS, addr.bit,
576 BIT(addr.port), (!!(type & 0x2)) << addr.port);
REG_INT_TRIGGER + SGPIO_MAX_BITS turns out to be 10, which is outside the boundaries
of priv->properties->regoff[] at line 154:
151 static inline void sgpio_clrsetbits(struct sgpio_priv *priv,
152 u32 rno, u32 off, u32 clear, u32 set)
153 {
154 u32 __iomem *reg = &priv->regs[priv->properties->regoff[rno] + off];
155 u32 val = readl(reg);
156
157 val &= ~clear;
158 val |= set;
159
160 writel(val, reg);
161 }
because priv->properties->regoff[] is an array of MAXREG elements, with MAXREG
representing the value of 10 in the following enum:
28 enum {
29 REG_INPUT_DATA,
30 REG_PORT_CONFIG,
31 REG_PORT_ENABLE,
32 REG_SIO_CONFIG,
33 REG_SIO_CLOCK,
34 REG_INT_POLARITY,
35 REG_INT_TRIGGER,
36 REG_INT_ACK,
37 REG_INT_ENABLE,
38 REG_INT_IDENT,
39 MAXREG
40 };
52 struct sgpio_properties {
53 int arch;
54 int flags;
55 u8 regoff[MAXREG];
56 };
Thanks
--
Gustavo
Powered by blists - more mailing lists