From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E5A928EE for ; Mon, 2 Jan 2023 11:25:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 253B1C433EF; Mon, 2 Jan 2023 11:25:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1672658758; bh=28HnGYvLUBH0VcEp2wUB5MgJsMx54LSkc1ou7ocB4qw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aiPPfqSfuYDRw5KFTWBzWALWdzCt6dSnqJkbhIkpLWk/AbtH3Ru3Fj+WE0RkvcgTx qvb+QIBxOb3c77h9gQWbrxaYSHqEvZAzmaDoHBl0As5dWxN5oU79kmfMEbb498RZUx adebQV2edQBKq8C9AaiksnPsjkqj8D55He0f9PJI= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, ChiYuan Huang , Lee Jones Subject: [PATCH 6.1 60/71] mfd: mt6360: Add bounds checking in Regmap read/write call-backs Date: Mon, 2 Jan 2023 12:22:25 +0100 Message-Id: <20230102110554.012122885@linuxfoundation.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230102110551.509937186@linuxfoundation.org> References: <20230102110551.509937186@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: ChiYuan Huang commit 5f4f94e9f26cca6514474b307b59348b8485e711 upstream. Fix the potential risk of OOB read if bank index is over the maximum. Refer to the discussion list for the experiment result on mt6370. https://lore.kernel.org/all/20220914013345.GA5802@cyhuang-hp-elitebook-840-g3.rt/ If not to check the bound, there is the same issue on mt6360. Cc: stable@vger.kernel.org Fixes: 3b0850440a06c (mfd: mt6360: Merge different sub-devices I2C read/write) Signed-off-by: ChiYuan Huang Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/1664416817-31590-1-git-send-email-u0084500@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/mfd/mt6360-core.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) --- a/drivers/mfd/mt6360-core.c +++ b/drivers/mfd/mt6360-core.c @@ -402,7 +402,7 @@ static int mt6360_regmap_read(void *cont struct mt6360_ddata *ddata = context; u8 bank = *(u8 *)reg; u8 reg_addr = *(u8 *)(reg + 1); - struct i2c_client *i2c = ddata->i2c[bank]; + struct i2c_client *i2c; bool crc_needed = false; u8 *buf; int buf_len = MT6360_ALLOC_READ_SIZE(val_size); @@ -410,6 +410,11 @@ static int mt6360_regmap_read(void *cont u8 crc; int ret; + if (bank >= MT6360_SLAVE_MAX) + return -EINVAL; + + i2c = ddata->i2c[bank]; + if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) { crc_needed = true; ret = mt6360_xlate_pmicldo_addr(®_addr, val_size); @@ -453,13 +458,18 @@ static int mt6360_regmap_write(void *con struct mt6360_ddata *ddata = context; u8 bank = *(u8 *)val; u8 reg_addr = *(u8 *)(val + 1); - struct i2c_client *i2c = ddata->i2c[bank]; + struct i2c_client *i2c; bool crc_needed = false; u8 *buf; int buf_len = MT6360_ALLOC_WRITE_SIZE(val_size); int write_size = val_size - MT6360_REGMAP_REG_BYTE_SIZE; int ret; + if (bank >= MT6360_SLAVE_MAX) + return -EINVAL; + + i2c = ddata->i2c[bank]; + if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) { crc_needed = true; ret = mt6360_xlate_pmicldo_addr(®_addr, val_size - MT6360_REGMAP_REG_BYTE_SIZE);