From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xiaolei Wang <xiaolei.wang@windriver.com>,
Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>,
lgirdwood@gmail.com
Subject: [PATCH AUTOSEL 5.19 04/22] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe()
Date: Wed, 14 Sep 2022 05:00:45 -0400 [thread overview]
Message-ID: <20220914090103.470630-4-sashal@kernel.org> (raw)
In-Reply-To: <20220914090103.470630-1-sashal@kernel.org>
From: Xiaolei Wang <xiaolei.wang@windriver.com>
[ Upstream commit 78e1e867f44e6bdc72c0e6a2609a3407642fb30b ]
The pfuze_chip::regulator_descs is an array of size
PFUZE100_MAX_REGULATOR, the pfuze_chip::pfuze_regulators
is the pointer to the real regulators of a specific device.
The number of real regulator is supposed to be less than
the PFUZE100_MAX_REGULATOR, so we should use the size of
'regulator_num * sizeof(struct pfuze_regulator)' in memcpy().
This fixes the out of bounds access bug reported by KASAN.
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Link: https://lore.kernel.org/r/20220825111922.1368055-1-xiaolei.wang@windriver.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pfuze100-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c
index 6b617024a67d1..d899d6e98fb81 100644
--- a/drivers/regulator/pfuze100-regulator.c
+++ b/drivers/regulator/pfuze100-regulator.c
@@ -766,7 +766,7 @@ static int pfuze100_regulator_probe(struct i2c_client *client,
((pfuze_chip->chip_id == PFUZE3000) ? "3000" : "3001"))));
memcpy(pfuze_chip->regulator_descs, pfuze_chip->pfuze_regulators,
- sizeof(pfuze_chip->regulator_descs));
+ regulator_num * sizeof(struct pfuze_regulator));
ret = pfuze_parse_regulators_dt(pfuze_chip);
if (ret)
--
2.35.1
next prev parent reply other threads:[~2022-09-14 9:01 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 9:00 [PATCH AUTOSEL 5.19 01/22] arm64: dts: juno: Add missing MHU secure-irq Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 02/22] spi: cadence-quadspi: Disable irqs during indirect reads Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 03/22] ASoC: nau8824: Fix semaphore unbalance at error paths Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` Sasha Levin [this message]
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 05/22] ASoC: fsl_aud2htx: register platform component before registering cpu dai Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 06/22] ASoC: fsl_aud2htx: Add error handler for pm_runtime_enable Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 07/22] scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of DID_REQUEUE Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 08/22] rxrpc: Fix local destruction being repeated Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 09/22] rxrpc: Fix calc of resend age Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 10/22] wifi: mac80211_hwsim: check length for virtio packets Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 11/22] ALSA: hda/sigmatel: Keep power up while beep is enabled Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 12/22] erofs: avoid the potentially wrong m_plen for big pcluster Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 13/22] ALSA: hda/tegra: Align BDL entry to 4KB boundary Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 14/22] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 15/22] drm/ttm: update bulk move object of ghost BO Sasha Levin
2022-09-14 9:00 ` Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 16/22] net: usb: qmi_wwan: add Quectel RM520N Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 17/22] afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked Sasha Levin
2022-09-14 9:00 ` [PATCH AUTOSEL 5.19 18/22] scsi: mpt3sas: Fix use-after-free warning Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 19/22] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 20/22] drm/amdgpu: prevent toc firmware memory leak Sasha Levin
2022-09-14 9:01 ` Sasha Levin
2022-09-14 9:01 ` Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 21/22] drm/panfrost: devfreq: set opp to the recommended one to configure regulator Sasha Levin
2022-09-14 9:01 ` Sasha Levin
2022-09-14 9:01 ` [PATCH AUTOSEL 5.19 22/22] mksysmap: Fix the mismatch of 'L0' symbols in System.map Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220914090103.470630-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=broonie@kernel.org \
--cc=lgirdwood@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiaolei.wang@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.