From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xiaolei Wang <xiaolei.wang@windriver.com>,
Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>,
lgirdwood@gmail.com
Subject: [PATCH AUTOSEL 4.19 2/9] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe()
Date: Wed, 14 Sep 2022 05:04:36 -0400 [thread overview]
Message-ID: <20220914090445.471489-2-sashal@kernel.org> (raw)
In-Reply-To: <20220914090445.471489-1-sashal@kernel.org>
From: Xiaolei Wang <xiaolei.wang@windriver.com>
[ Upstream commit 78e1e867f44e6bdc72c0e6a2609a3407642fb30b ]
The pfuze_chip::regulator_descs is an array of size
PFUZE100_MAX_REGULATOR, the pfuze_chip::pfuze_regulators
is the pointer to the real regulators of a specific device.
The number of real regulator is supposed to be less than
the PFUZE100_MAX_REGULATOR, so we should use the size of
'regulator_num * sizeof(struct pfuze_regulator)' in memcpy().
This fixes the out of bounds access bug reported by KASAN.
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Link: https://lore.kernel.org/r/20220825111922.1368055-1-xiaolei.wang@windriver.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pfuze100-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c
index 8b1940110561a..b1d73a6c7809e 100644
--- a/drivers/regulator/pfuze100-regulator.c
+++ b/drivers/regulator/pfuze100-regulator.c
@@ -710,7 +710,7 @@ static int pfuze100_regulator_probe(struct i2c_client *client,
((pfuze_chip->chip_id == PFUZE3000) ? "3000" : "3001"))));
memcpy(pfuze_chip->regulator_descs, pfuze_chip->pfuze_regulators,
- sizeof(pfuze_chip->regulator_descs));
+ regulator_num * sizeof(struct pfuze_regulator));
ret = pfuze_parse_regulators_dt(pfuze_chip);
if (ret)
--
2.35.1
next prev parent reply other threads:[~2022-09-14 9:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 9:04 [PATCH AUTOSEL 4.19 1/9] ASoC: nau8824: Fix semaphore unbalance at error paths Sasha Levin
2022-09-14 9:04 ` Sasha Levin
2022-09-14 9:04 ` Sasha Levin [this message]
2022-09-14 9:04 ` [PATCH AUTOSEL 4.19 3/9] rxrpc: Fix local destruction being repeated Sasha Levin
2022-09-14 9:04 ` [PATCH AUTOSEL 4.19 4/9] ALSA: hda/sigmatel: Keep power up while beep is enabled Sasha Levin
2022-09-14 9:04 ` Sasha Levin
2022-09-14 9:04 ` [PATCH AUTOSEL 4.19 5/9] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Sasha Levin
2022-09-14 9:04 ` Sasha Levin
2022-09-14 9:04 ` [PATCH AUTOSEL 4.19 6/9] net: usb: qmi_wwan: add Quectel RM520N Sasha Levin
2022-09-14 9:04 ` [PATCH AUTOSEL 4.19 7/9] scsi: mpt3sas: Fix use-after-free warning Sasha Levin
2022-09-14 9:04 ` [PATCH AUTOSEL 4.19 8/9] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() Sasha Levin
2022-09-14 9:04 ` [PATCH AUTOSEL 4.19 9/9] mksysmap: Fix the mismatch of 'L0' symbols in System.map Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220914090445.471489-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=broonie@kernel.org \
--cc=lgirdwood@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiaolei.wang@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.