lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f9ef2a3b-0e8d-199c-bc44-423ef6e963fc@ispras.ru>
Date:   Tue, 1 Aug 2017 19:05:41 +0300
From:   Anton Vasilyev <vasilyev@...ras.ru>
To:     James Ban <James.Ban.opensource@...semi.com>
Cc:     Liam Girdwood <lgirdwood@...il.com>,
        Mark Brown <broonie@...nel.org>, linux-kernel@...r.kernel.org,
        ldv-project@...uxtesting.org
Subject: Buffer overread in pv88090-regulator.ko

Hello.

While searching for memory errors in Linux kernel I've come across
drivers/regulator/pv88090-regulator.ko module.

Buffer overread could occur at pv88090_i2c_probe():

If read from malicious device such values for conf2 and range
(e.g. 0x10000000 and 0x1000 for PV88090_ID_BUCK2) that
             conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) &
                 PV88090_BUCK_VDAC_RANGE_MASK;
and
             range = (range >>
                  (PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) &
                 PV88080_BUCK_VRANGE_GAIN_MASK;
become 1 then
             index = ((range << 1) | conf2);
become 3, but index is used for dereference pv88090_buck_vol[3].

Should be index=3 considered as incorrect value and pv88090_i2c_probe() 
must return error,
or pv88090_buck_vol[] should be expanded?

Found by Linux Driver Verification project (linuxtesting.org).

--
Anton Vasilyev
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: vasilyev@...ras.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ