From: Dan Carpenter <dan.carpenter@oracle.com>
To: Lee Jones <lee@kernel.org>, ChiYuan Huang <cy_huang@richtek.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>,
Andy Shevchenko <andy.shevchenko@gmail.com>,
ChiaEn Wu <chiaen_wu@richtek.com>,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] mfd: mt6370: add bounds checking to regmap_read/write functions
Date: Fri, 19 Aug 2022 08:25:34 +0300 [thread overview]
Message-ID: <Yv8ezribLQbq5ggv@kili> (raw)
It looks like there are a potential out of bounds accesses in the
read/write() functions. Also can "len" be negative? Let's check for
that too.
Fixes: ab9905c5e38e ("mfd: mt6370: Add MediaTek MT6370 support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
From static analysis. This code is obviously harmless however it may
not be required. The regmap range checking is slightly complicated and
I haven't remembered where all it's done.
drivers/mfd/mt6370.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/mfd/mt6370.c b/drivers/mfd/mt6370.c
index cf19cce2fdc0..fd5e1d6a0272 100644
--- a/drivers/mfd/mt6370.c
+++ b/drivers/mfd/mt6370.c
@@ -190,6 +190,9 @@ static int mt6370_regmap_read(void *context, const void *reg_buf,
bank_idx = u8_buf[0];
bank_addr = u8_buf[1];
+ if (bank_idx >= ARRAY_SIZE(info->i2c))
+ return -EINVAL;
+
ret = i2c_smbus_read_i2c_block_data(info->i2c[bank_idx], bank_addr,
val_size, val_buf);
if (ret < 0)
@@ -211,6 +214,9 @@ static int mt6370_regmap_write(void *context, const void *data, size_t count)
bank_idx = u8_buf[0];
bank_addr = u8_buf[1];
+ if (len < 0 || bank_idx >= ARRAY_SIZE(info->i2c))
+ return -EINVAL;
+
return i2c_smbus_write_i2c_block_data(info->i2c[bank_idx], bank_addr,
len, data + MT6370_MAX_ADDRLEN);
}
--
2.35.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2022-08-19 5:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-19 5:25 Dan Carpenter [this message]
2022-08-19 6:27 ` [PATCH] mfd: mt6370: add bounds checking to regmap_read/write functions Andy Shevchenko
2022-08-22 12:57 ` Dan Carpenter
2022-09-08 6:57 ` Lee Jones
2022-09-08 7:54 ` Andy Shevchenko
2022-09-08 10:49 ` Dan Carpenter
2022-09-09 6:59 ` Lee Jones
2022-09-14 1:33 ` ChiYuan Huang
2022-08-23 22:09 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yv8ezribLQbq5ggv@kili \
--to=dan.carpenter@oracle.com \
--cc=andy.shevchenko@gmail.com \
--cc=chiaen_wu@richtek.com \
--cc=cy_huang@richtek.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=lee@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox