| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Aug 2017 18:23:34 +0300
From: Anton Vasilyev <vasilyev@...ras.ru>
To: Jean Delvare <jdelvare@...e.com>
Cc: Anton Vasilyev <vasilyev@...ras.ru>,
Guenter Roeck <linux@...ck-us.net>,
linux-hwmon@...r.kernel.org, linux-kernel@...r.kernel.org,
ldv-project@...uxtesting.org
Subject: [PATCH] hwmon:(stts751) buffer overread on wrong chip configuration
If stts751 hw by some reason reports conversion rate bigger then 9:
ret = i2c_smbus_read_byte_data(priv->client, STTS751_REG_RATE);
then dereference stts751_intervals[priv->interval] leads to buffer
overread.
The path adds sanity check for value read from chip.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Anton Vasilyev <vasilyev@...ras.ru>
---
drivers/hwmon/stts751.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hwmon/stts751.c b/drivers/hwmon/stts751.c
index d56251d..f6eddbd 100644
--- a/drivers/hwmon/stts751.c
+++ b/drivers/hwmon/stts751.c
@@ -718,6 +718,10 @@ static int stts751_read_chip_config(struct stts751_priv *priv)
ret = i2c_smbus_read_byte_data(priv->client, STTS751_REG_RATE);
if (ret < 0)
return ret;
+ if (ret > ARRAY_SIZE(stts751_intervals)) {
+ dev_err(priv->dev, "Unrecognized conversion rate 0x%x\n", ret);
+ return -ENODEV;
+ }
priv->interval = ret;
ret = stts751_read_reg16(priv, &priv->event_max,
--
2.7.4
Powered by blists - more mailing lists