lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <af1a1044-5f45-ecaf-244e-90650f17ff17@canonical.com>
Date:   Tue, 6 Oct 2020 18:59:22 +0100
From:   Colin Ian King <colin.king@...onical.com>
To:     Dan Murphy <dmurphy@...com>, Sebastian Reichel <sre@...nel.org>
Cc:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: re: power: supply: bq25980: Add support for the BQ259xx family

Hi

Static analysis with Coverity has detected a potential out-of-bounds
read issue in the following commit:

commit 5069185fc18e810715a91d80fcd075e03add600c
Author: Dan Murphy <dmurphy@...com>
Date:   Mon Aug 31 11:48:49 2020 -0500

    power: supply: bq25980: Add support for the BQ259xx family


Analysis is as follows:

1099 static int bq25980_hw_init(struct bq25980_device *bq)
1100 {
1101        struct power_supply_battery_info bat_info = { };
1102        int wd_reg_val;
1103        int ret = 0;
1104        int curr_val;
1105        int volt_val;
1106        int i;
1107

    1. Condition !bq->watchdog_timer, taking false branch.
1108        if (!bq->watchdog_timer) {
1109                ret = regmap_update_bits(bq->regmap,
BQ25980_CHRGR_CTRL_3,
1110                                         BQ25980_WATCHDOG_DIS,
1111                                         BQ25980_WATCHDOG_DIS);
1112        } else {

    2. Condition i < 4, taking true branch.
    6. Condition i < 4, taking true branch.
    7. cond_at_most: Checking i < 4 implies that i may be up to 3 on the
true branch.
1113                for (i = 0; i < BQ25980_NUM_WD_VAL; i++) {

    3. Condition bq->watchdog_timer > bq25980_watchdog_time[i], taking
true branch.
    4. Condition bq->watchdog_timer < bq25980_watchdog_time[i + 1],
taking false branch.
    8. Condition bq->watchdog_timer > bq25980_watchdog_time[i], taking
true branch.

Out-of-bounds read (OVERRUN)
    9. overrun-local: Overrunning array bq25980_watchdog_time of 4
4-byte elements at element index 4 (byte offset 19) using index i + 1
(which evaluates to 4).

1114                        if (bq->watchdog_timer >
bq25980_watchdog_time[i] &&
1115                            bq->watchdog_timer <
bq25980_watchdog_time[i + 1]) {
1116                                wd_reg_val = i;
1117                                break;
1118                        }
    5. Jumping back to the beginning of the loop.
1119                }

Accessing bq25980_watchdog_time[i + 1] when i is 3 causes the
out-of-range read

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ