lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <87o8h1uzrk.fsf@microchip.com> Date: Wed, 3 Feb 2021 13:00:47 +0100 From: Lars Povlsen <lars.povlsen@...rochip.com> To: "Gustavo A. R. Silva" <gustavoars@...nel.org> CC: Lars Povlsen <lars.povlsen@...rochip.com>, Steen Hegelund <Steen.Hegelund@...rochip.com>, <UNGLinuxDriver@...rochip.com>, Linus Walleij <linus.walleij@...aro.org>, <linux-arm-kernel@...ts.infradead.org>, <linux-gpio@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <linux-hardening@...r.kernel.org> Subject: Re: [REPORT][next] pinctrl: pinctrl-microchip-sgpio: out-of-bounds bug in sgpio_clrsetbits() Gustavo A. R. Silva writes: > Hi, > > While addressing some out-of-bounds warnings, I found the following bug: > > drivers/pinctrl/pinctrl-microchip-sgpio.c:154:57: warning: array subscript 10 is above array bounds of ‘const u8[10]’ {aka ‘const unsigned char[10]’} [-Warray-bounds] > > The bug was introduced by commit be2dc859abd4 ("pinctrl: pinctrl-microchip-sgpio: Add irq support (for sparx5)"): > > 575 sgpio_clrsetbits(bank->priv, REG_INT_TRIGGER + SGPIO_MAX_BITS, addr.bit, > 576 BIT(addr.port), (!!(type & 0x2)) << addr.port); > > REG_INT_TRIGGER + SGPIO_MAX_BITS turns out to be 10, which is outside the boundaries > of priv->properties->regoff[] at line 154: Hi Gustavo! Thanks for spotting this - the "+" is misplaced. I will submit a patch asap. Cheers, ---Lars > > 151 static inline void sgpio_clrsetbits(struct sgpio_priv *priv, > 152 u32 rno, u32 off, u32 clear, u32 set) > 153 { > 154 u32 __iomem *reg = &priv->regs[priv->properties->regoff[rno] + off]; > 155 u32 val = readl(reg); > 156 > 157 val &= ~clear; > 158 val |= set; > 159 > 160 writel(val, reg); > 161 } > > because priv->properties->regoff[] is an array of MAXREG elements, with MAXREG > representing the value of 10 in the following enum: > > 28 enum { > 29 REG_INPUT_DATA, > 30 REG_PORT_CONFIG, > 31 REG_PORT_ENABLE, > 32 REG_SIO_CONFIG, > 33 REG_SIO_CLOCK, > 34 REG_INT_POLARITY, > 35 REG_INT_TRIGGER, > 36 REG_INT_ACK, > 37 REG_INT_ENABLE, > 38 REG_INT_IDENT, > 39 MAXREG > 40 }; > > 52 struct sgpio_properties { > 53 int arch; > 54 int flags; > 55 u8 regoff[MAXREG]; > 56 }; > > Thanks -- Lars Povlsen, Microchip
Powered by blists - more mailing lists