lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1666318661-11777-1-git-send-email-u0084500@gmail.com>
Date:   Fri, 21 Oct 2022 10:17:41 +0800
From:   cy_huang <u0084500@...il.com>
To:     lee@...nel.org, matthias.bgg@...il.com
Cc:     chiaen_wu@...htek.com, andy.shevchenko@...il.com,
        cy_huang@...htek.com, linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: [PATCH v2] mfd: mt6370: Add the out-of-bound check to prevent the null pointer

From: ChiYuan Huang <cy_huang@...htek.com>

This potential risk could happen at regmap_raw_read() or
regmap_raw_write() when accessing the over-bound register address.

For testing, I try to reproduce it with a testing attribute file.
Below's the issue trace log.

[41.314358] pc : i2c_smbus_xfer+0x58/0x120
[41.314371] lr : i2c_smbus_read_i2c_block_data+0x74/0xc0
[41.399677] Call trace:
[41.402153]  i2c_smbus_xfer+0x58/0x120
[41.405956]  i2c_smbus_read_i2c_block_data+0x74/0xc0
[41.410991]  mt6370_regmap_read+0x40/0x60 [mt6370]
[41.415855]  _regmap_raw_read+0xe4/0x278
[41.419834]  regmap_raw_read+0xec/0x240
[41.423721]  rg_bound_show+0xb0/0x120 [mt6370]
[41.428226]  dev_attr_show+0x3c/0x80
[41.431851]  sysfs_kf_seq_show+0xc4/0x150
[41.435916]  kernfs_seq_show+0x48/0x60
[41.439718]  seq_read_iter+0x11c/0x450
[41.443519]  kernfs_fop_read_iter+0x124/0x1c0
[41.447937]  vfs_read+0x1a8/0x288
[41.451296]  ksys_read+0x74/0x100
[41.454654]  __arm64_sys_read+0x24/0x30
[41.458541]  invoke_syscall+0x54/0x118
[41.462344]  el0_svc_common.constprop.4+0x94/0x128
[41.467202]  do_el0_svc+0x3c/0xd0
[41.470562]  el0_svc+0x20/0x60
[41.473658]  el0t_64_sync_handler+0x94/0xb8
[41.477899]  el0t_64_sync+0x15c/0x160
[41.481614] Code: 54000388 f9401262 aa1303e0 52800041 (f9400042)
[41.487793] ---[ end trace 0000000000000000 ]---

Fixes: b2adf788e603 ("mfd: mt6370: Add MediaTek MT6370 support")
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
Signed-off-by: ChiYuan Huang <cy_huang@...htek.com>
---
Dear reviewers:

In v2, I refined the patch title and commit message.

If there's still something improper, please kindly correct me.

---
 drivers/mfd/mt6370.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/mfd/mt6370.c b/drivers/mfd/mt6370.c
index cf19cce..acbf960 100644
--- a/drivers/mfd/mt6370.c
+++ b/drivers/mfd/mt6370.c
@@ -190,6 +190,9 @@ static int mt6370_regmap_read(void *context, const void *reg_buf,
 	bank_idx = u8_buf[0];
 	bank_addr = u8_buf[1];
 
+	if (bank_idx >= MT6370_MAX_I2C)
+		return -EINVAL;
+
 	ret = i2c_smbus_read_i2c_block_data(info->i2c[bank_idx], bank_addr,
 					    val_size, val_buf);
 	if (ret < 0)
@@ -211,6 +214,9 @@ static int mt6370_regmap_write(void *context, const void *data, size_t count)
 	bank_idx = u8_buf[0];
 	bank_addr = u8_buf[1];
 
+	if (bank_idx >= MT6370_MAX_I2C)
+		return -EINVAL;
+
 	return i2c_smbus_write_i2c_block_data(info->i2c[bank_idx], bank_addr,
 					      len, data + MT6370_MAX_ADDRLEN);
 }
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ