lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0ACAE736BB7A70499F1D8D5E6AC1854C0337FB3346@NB-EX-MBX01.diasemi.com>
Date:   Wed, 2 Aug 2017 02:44:01 +0000
From:   James Seong-Won Ban <James.Ban.opensource@...semi.com>
To:     Anton Vasilyev <vasilyev@...ras.ru>
CC:     Liam Girdwood <lgirdwood@...il.com>,
        Mark Brown <broonie@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "ldv-project@...uxtesting.org" <ldv-project@...uxtesting.org>,
        "Eric Hyeung Dong Jeong" <eric.jeong@...semi.com>
Subject: RE: Buffer overread in pv88090-regulator.ko

Hi Anton,

I have not thought this driver should be loaded for any malicious device.
Anyway we will update it.

Regards,
James

> -----Original Message-----
> From: Anton Vasilyev [mailto:vasilyev@...ras.ru]
> Sent: Wednesday, August 02, 2017 1:06 AM
> To: James Seong-Won Ban
> Cc: Liam Girdwood; Mark Brown; linux-kernel@...r.kernel.org; ldv-
> project@...uxtesting.org
> Subject: Buffer overread in pv88090-regulator.ko
> 
> Hello.
> 
> While searching for memory errors in Linux kernel I've come across
> drivers/regulator/pv88090-regulator.ko module.
> 
> Buffer overread could occur at pv88090_i2c_probe():
> 
> If read from malicious device such values for conf2 and range (e.g. 0x10000000
> and 0x1000 for PV88090_ID_BUCK2) that
>              conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) &
>                  PV88090_BUCK_VDAC_RANGE_MASK; and
>              range = (range >>
>                   (PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) &
>                  PV88080_BUCK_VRANGE_GAIN_MASK; become 1 then
>              index = ((range << 1) | conf2); become 3, but index is used for
> dereference pv88090_buck_vol[3].
> 
> Should be index=3 considered as incorrect value and pv88090_i2c_probe() must
> return error, or pv88090_buck_vol[] should be expanded?
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> --
> Anton Vasilyev
> Linux Verification Center, ISPRAS
> web: http://linuxtesting.org
> e-mail: vasilyev@...ras.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ