From: Dan Carpenter <dan.carpenter@oracle.com>
To: Benson Leung <bleung@chromium.org>,
Bill Richardson <wfrichar@chromium.org>
Cc: Guenter Roeck <groeck@chromium.org>,
Javier Martinez Canillas <javier@osg.samsung.com>,
Olof Johansson <olof@lixom.net>,
Gwendal Grignou <gwendal@chromium.org>,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] platform/chrome: cros_ec: fix read overflow in cros_ec_lpc_readmem()
Date: Thu, 9 Dec 2021 17:35:01 +0300 [thread overview]
Message-ID: <20211209143501.GA3041@kili> (raw)
If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
bytes" is a very high unsigned value and basically offset is
accepted. The second problem is that it uses >= instead of > so this
means that we are not able to read the very last byte.
Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
index d6306d2a096f..7e1d175def9f 100644
--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
char *s = dest;
int cnt = 0;
- if (offset >= EC_MEMMAP_SIZE - bytes)
+ if (offset > EC_MEMMAP_SIZE ||
+ bytes > EC_MEMMAP_SIZE - offset)
return -EINVAL;
/* fixed length */
--
2.20.1
next reply other threads:[~2021-12-09 14:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-09 14:35 Dan Carpenter [this message]
2021-12-14 23:02 ` [PATCH] platform/chrome: cros_ec: fix read overflow in cros_ec_lpc_readmem() Guenter Roeck
2021-12-15 8:19 ` Dan Carpenter
2021-12-15 15:55 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211209143501.GA3041@kili \
--to=dan.carpenter@oracle.com \
--cc=bleung@chromium.org \
--cc=groeck@chromium.org \
--cc=gwendal@chromium.org \
--cc=javier@osg.samsung.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olof@lixom.net \
--cc=wfrichar@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.