[PATCH] cs5535_gpio: Fix root triggerable integer underflow

[PATCH] cs5535_gpio: Fix root triggerable integer underflow

[Michael Buesch]

This patch fixes a possible root triggerable (I hope the device is only
readable by root?) integer underflow.
Well, it's not really an underflow, but as loff_t is a signed type, the
range check at the start of the function is incomplete. It needs to check for <0, too.
Otherwise the loop below will poke into random memory and I/O space.
This could be used to crash the machine, at least.

This patch is only compiletested, because I do not have the hardware.

Signed-off-by: Michael Buesch <mb@bu3sch.de>

---

I'm not sure if this bug is exploitable. I _guess_ the device is only readable by root
on a standard setup.

---
 drivers/char/cs5535_gpio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.orig/drivers/char/cs5535_gpio.c
+++ linux-2.6/drivers/char/cs5535_gpio.c
@@ -124,21 +124,21 @@ static ssize_t cs5535_gpio_write(struct 
 static ssize_t cs5535_gpio_read(struct file *file, char __user *buf,
 				size_t len, loff_t *ppos)
 {
 	u32	m = iminor(file->f_path.dentry->d_inode);
 	u32	base = gpio_base + cs5535_lowhigh_base(m);
 	int	rd_bit = 1 << (m & 0x0f);
 	int	i;
 	char	ch;
 	ssize_t	count = 0;
 
-	if (*ppos >= ARRAY_SIZE(rm))
+	if (*ppos < 0 || *ppos >= ARRAY_SIZE(rm))
 		return 0;
 
 	for (i = *ppos; (i < (*ppos + len)) && (i < ARRAY_SIZE(rm)); i++) {
 		ch = (inl(base + rm[i].rd_offset) & rd_bit) ?
 		     rm[i].on : rm[i].off;
 
 		if (put_user(ch, buf+count))
 			return -EFAULT;
 
 		count++;

-- 
Greetings, Michael.