lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fcd655fb3c1b70c06719ebad08983d66@agner.ch>
Date:   Sat, 15 Apr 2017 09:53:30 -0700
From:   Stefan Agner <stefan@...er.ch>
To:     Axel Lin <axel.lin@...ics.com>
Cc:     Lee Jones <lee.jones@...aro.org>,
        Marcel Ziswiler <marcel.ziswiler@...adex.com>,
        Mark Brown <broonie@...nel.org>,
        Liam Girdwood <lgirdwood@...il.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

On 2017-04-15 07:52, Axel Lin wrote:
> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
> So for rn5t618, there is out of bounds array access when checking
> regulators[i].name in the for loop.

I use designated initializers ([RN5T618_##rid] = {..), which guarantee
that the non initialized elements are zero. The highest element LDORTC2
is defined, hence the length of the array should be RN5T618_REG_NUM.

See also
https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html

--
Stefan


> 
> The number of regulators is different for rn5t567 and rn5t618, so we had
> better remove RN5T618_REG_NUM and get the correct num_regulators during
> probe instead.
> 
> Fixes: ed6d362d8dbc ("regulator: rn5t618: Add RN5T567 PMIC support")
> Signed-off-by: Axel Lin <axel.lin@...ics.com>
> ---
> RESEND: Correct subject line (remove double Fix)
> 
>  drivers/regulator/rn5t618-regulator.c | 8 ++++----
>  include/linux/mfd/rn5t618.h           | 1 -
>  2 files changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/regulator/rn5t618-regulator.c
> b/drivers/regulator/rn5t618-regulator.c
> index 8d2819e..0c09143 100644
> --- a/drivers/regulator/rn5t618-regulator.c
> +++ b/drivers/regulator/rn5t618-regulator.c
> @@ -85,14 +85,17 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
>  	struct regulator_config config = { };
>  	struct regulator_dev *rdev;
>  	struct regulator_desc *regulators;
> +	int num_regulators;
>  	int i;
>  
>  	switch (rn5t618->variant) {
>  	case RN5T567:
>  		regulators = rn5t567_regulators;
> +		num_regulators = ARRAY_SIZE(rn5t567_regulators);
>  		break;
>  	case RN5T618:
>  		regulators = rn5t618_regulators;
> +		num_regulators = ARRAY_SIZE(rn5t618_regulators);
>  		break;
>  	default:
>  		return -EINVAL;
> @@ -101,10 +104,7 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
>  	config.dev = pdev->dev.parent;
>  	config.regmap = rn5t618->regmap;
>  
> -	for (i = 0; i < RN5T618_REG_NUM; i++) {
> -		if (!regulators[i].name)
> -			continue;
> -
> +	for (i = 0; i < num_regulators; i++) {
>  		rdev = devm_regulator_register(&pdev->dev,
>  					       &regulators[i],
>  					       &config);
> diff --git a/include/linux/mfd/rn5t618.h b/include/linux/mfd/rn5t618.h
> index e5a6cde..d7b3155 100644
> --- a/include/linux/mfd/rn5t618.h
> +++ b/include/linux/mfd/rn5t618.h
> @@ -233,7 +233,6 @@ enum {
>  	RN5T618_LDO5,
>  	RN5T618_LDORTC1,
>  	RN5T618_LDORTC2,
> -	RN5T618_REG_NUM,
>  };
>  
>  enum {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ