From: Geert Uytterhoeven <geert+renesas@glider.be>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: devicetree@vger.kernel.org, Barry Song <baohua@kernel.org>,
Geert Uytterhoeven <geert+renesas@glider.be>,
Vineet Gupta <vgupta@synopsys.com>,
Michal Simek <michal.simek@xilinx.com>,
linux-kernel@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
linux-serial@vger.kernel.org, Jiri Slaby <jslaby@suse.com>,
linux-snps-arc@lists.infradead.org,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 7/9] serial: sh-sci: Fix out-of-bounds access through DT alias
Date: Fri, 23 Feb 2018 14:38:35 +0100 [thread overview]
Message-ID: <1519393117-31998-8-git-send-email-geert+renesas@glider.be> (raw)
In-Reply-To: <1519393117-31998-1-git-send-email-geert+renesas@glider.be>
The sci_ports[] array is indexed using a value derived from the
"serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Note that the array size is defined by a Kconfig symbol
(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a
legitimate DTB.
Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
v2:
- Fix Fixes reference,
- Use ARRAY_SIZE().
---
drivers/tty/serial/sh-sci.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 4d14f321cbec95e0..f6a6610d434efc33 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -3096,6 +3096,10 @@ static struct plat_sci_port *sci_parse_dt(struct platform_device *pdev,
dev_err(&pdev->dev, "failed to get alias id (%d)\n", id);
return NULL;
}
+ if (id >= ARRAY_SIZE(sci_ports)) {
+ dev_err(&pdev->dev, "serial%d out of range\n", id);
+ return NULL;
+ }
sp = &sci_ports[id];
*dev_id = id;
--
2.7.4
next prev parent reply other threads:[~2018-02-23 13:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-23 13:38 [PATCH v2 0/9] serial: Fix out-of-bounds accesses through DT aliases Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 1/9] serial: arc_uart: Fix out-of-bounds access through DT alias Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 2/9] serial: fsl_lpuart: " Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 3/9] serial: imx: Fix out-of-bounds access through serial port index Geert Uytterhoeven
2018-02-23 13:51 ` Uwe Kleine-König
2018-02-23 13:38 ` [PATCH v2 4/9] serial: mxs-auart: " Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 5/9] serial: pxa: " Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 6/9] serial: samsung: " Geert Uytterhoeven
2018-02-23 13:38 ` Geert Uytterhoeven [this message]
2018-02-23 13:38 ` [PATCH v2 8/9] serial: sirf: Fix out-of-bounds access through DT alias Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 9/9] serial: xuartps: " Geert Uytterhoeven
2018-02-23 13:41 ` Michal Simek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1519393117-31998-8-git-send-email-geert+renesas@glider.be \
--to=geert+renesas@glider.be \
--cc=baohua@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-renesas-soc@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=linux-snps-arc@lists.infradead.org \
--cc=michal.simek@xilinx.com \
--cc=vgupta@synopsys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).