lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 20 Oct 2022 15:46:17 +0800
From:   ChiYuan Huang <u0084500@...il.com>
To:     lee@...nel.org
Cc:     matthias.bgg@...il.com, gene_chen@...htek.com,
        linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org,
        ChiYuan Huang <cy_huang@...htek.com>, stable@...r.kernel.org
Subject: Re: [PATCH v2] mfd: mt6360: add bound check in regmap read/write function

Hi,

cy_huang <u0084500@...il.com> 於 2022年9月29日 週四 上午10:00寫道:
>
> From: ChiYuan Huang <cy_huang@...htek.com>
>
> Fix the potential risk for null pointer if bank index is over the maximum.
>
> Refer to the discussion list for the experiment result on mt6370.
> https://lore.kernel.org/all/20220914013345.GA5802@cyhuang-hp-elitebook-840-g3.rt/
> If not to check the bound, there is the same issue on mt6360.
>
> Fixes: 3b0850440a06c (mfd: mt6360: Merge different sub-devices I2C read/write)
> Cc: stable@...r.kernel.org
> Signed-off-by: ChiYuan Huang <cy_huang@...htek.com>
> ---
> Since v2:
> - Assign i2c bank variable after bank index is already checked.
>
> ---
>  drivers/mfd/mt6360-core.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
>
Any comment?
> diff --git a/drivers/mfd/mt6360-core.c b/drivers/mfd/mt6360-core.c
> index 6eaa677..d3b32eb 100644
> --- a/drivers/mfd/mt6360-core.c
> +++ b/drivers/mfd/mt6360-core.c
> @@ -402,7 +402,7 @@ static int mt6360_regmap_read(void *context, const void *reg, size_t reg_size,
>         struct mt6360_ddata *ddata = context;
>         u8 bank = *(u8 *)reg;
>         u8 reg_addr = *(u8 *)(reg + 1);
> -       struct i2c_client *i2c = ddata->i2c[bank];
> +       struct i2c_client *i2c;
>         bool crc_needed = false;
>         u8 *buf;
>         int buf_len = MT6360_ALLOC_READ_SIZE(val_size);
> @@ -410,6 +410,11 @@ static int mt6360_regmap_read(void *context, const void *reg, size_t reg_size,
>         u8 crc;
>         int ret;
>
> +       if (bank >= MT6360_SLAVE_MAX)
> +               return -EINVAL;
> +
> +       i2c = ddata->i2c[bank];
> +
>         if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
>                 crc_needed = true;
>                 ret = mt6360_xlate_pmicldo_addr(&reg_addr, val_size);
> @@ -453,13 +458,18 @@ static int mt6360_regmap_write(void *context, const void *val, size_t val_size)
>         struct mt6360_ddata *ddata = context;
>         u8 bank = *(u8 *)val;
>         u8 reg_addr = *(u8 *)(val + 1);
> -       struct i2c_client *i2c = ddata->i2c[bank];
> +       struct i2c_client *i2c;
>         bool crc_needed = false;
>         u8 *buf;
>         int buf_len = MT6360_ALLOC_WRITE_SIZE(val_size);
>         int write_size = val_size - MT6360_REGMAP_REG_BYTE_SIZE;
>         int ret;
>
> +       if (bank >= MT6360_SLAVE_MAX)
> +               return -EINVAL;
> +
> +       i2c = ddata->i2c[bank];
> +
>         if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
>                 crc_needed = true;
>                 ret = mt6360_xlate_pmicldo_addr(&reg_addr, val_size - MT6360_REGMAP_REG_BYTE_SIZE);
> --
> 2.7.4
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ