lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMuHMdX+uYLDzQB9QerXApi+ZqT-a4L_moCdphpCbK7wdhHkUQ@mail.gmail.com>
Date: Wed, 13 Aug 2025 08:50:43 +0200
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Thomas Richard <thomas.richard@...tlin.com>, Linus Walleij <linus.walleij@...aro.org>, 
	Bartosz Golaszewski <brgl@...ev.pl>, Andy Shevchenko <andy@...nel.org>, linux-gpio@...r.kernel.org, 
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH next] gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()

On Wed, 13 Aug 2025 at 07:38, Dan Carpenter <dan.carpenter@...aro.org> wrote:
> The "> chip->ngpio" comparison here needs to be ">= chip->ngpio",
> otherwise it leads to an out of bounds access.  The fwd->valid_mask
> bitmap only has chip->ngpio bits and the fwd->descs[] array has that
> same number of elements.  These values are set in
> devm_gpiochip_fwd_alloc().
>
> Fixes: c44ce91b8ada ("gpio: aggregator: refactor the code to add GPIO desc in the forwarder")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>

Reviewed-by: Geert Uytterhoeven <geert+renesas@...der.be>

> --- a/drivers/gpio/gpio-aggregator.c
> +++ b/drivers/gpio/gpio-aggregator.c
> @@ -744,7 +744,7 @@ int gpiochip_fwd_desc_add(struct gpiochip_fwd *fwd, struct gpio_desc *desc,
>  {
>         struct gpio_chip *chip = &fwd->chip;
>
> -       if (offset > chip->ngpio)
> +       if (offset >= chip->ngpio)
>                 return -EINVAL;
>
>         if (test_and_set_bit(offset, fwd->valid_mask))

Looks like my similar comment in
https://lore.kernel.org/all/CAMuHMdVLo2w609eFOKRkYAfEMb8XOTNB-XzzZn_89VM-YV_-kA@mail.gmail.com/
was lost in the noise. I'll try to remember to make ">=" stand out more
among all quoted code.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ