devicetree.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* pinctrl: samsung: Out-of-bounds access through DT aliases
@ 2018-02-20 10:06 Geert Uytterhoeven
  2018-02-20 11:56 ` Krzysztof Kozlowski
  0 siblings, 1 reply; 2+ messages in thread
From: Geert Uytterhoeven @ 2018-02-20 10:06 UTC (permalink / raw)
  To: Tomasz Figa, Krzysztof Kozlowski, Sylwester Nawrocki,
	Linus Walleij
  Cc: linux-samsung-soc, linux-gpio,
	open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS

Hi,

The Samsung pinctrl driver uses the "pinctrlN" alias from DT without performing
any validation on the returned index, which may lead to out-of-bounds accesses
in the SoC-specific samsung_pin_ctrl[] arrays:

drivers/pinctrl/samsung/pinctrl-samsung.c:samsung_pinctrl_get_soc_data():

        id = of_alias_get_id(node, "pinctrl");
        if (id < 0) {
                dev_err(&pdev->dev, "failed to get alias id\n");
                return ERR_PTR(-ENOENT);
        }
        ctrl = of_device_get_match_data(&pdev->dev);
        // FIXME out-of-bounds access, limit not known
        ctrl += id;

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: pinctrl: samsung: Out-of-bounds access through DT aliases
  2018-02-20 10:06 pinctrl: samsung: Out-of-bounds access through DT aliases Geert Uytterhoeven
@ 2018-02-20 11:56 ` Krzysztof Kozlowski
  0 siblings, 0 replies; 2+ messages in thread
From: Krzysztof Kozlowski @ 2018-02-20 11:56 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Tomasz Figa, Sylwester Nawrocki, Linus Walleij, linux-samsung-soc,
	linux-gpio,
	open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS

On Tue, Feb 20, 2018 at 11:06 AM, Geert Uytterhoeven
<geert@linux-m68k.org> wrote:
> Hi,
>
> The Samsung pinctrl driver uses the "pinctrlN" alias from DT without performing
> any validation on the returned index, which may lead to out-of-bounds accesses
> in the SoC-specific samsung_pin_ctrl[] arrays:
>
> drivers/pinctrl/samsung/pinctrl-samsung.c:samsung_pinctrl_get_soc_data():
>
>         id = of_alias_get_id(node, "pinctrl");
>         if (id < 0) {
>                 dev_err(&pdev->dev, "failed to get alias id\n");
>                 return ERR_PTR(-ENOENT);
>         }
>         ctrl = of_device_get_match_data(&pdev->dev);
>         // FIXME out-of-bounds access, limit not known
>         ctrl += id;

Hi Geert,

Indeed, lack of validation with wrong DT will cause out-of-bounds
accesses. This might be also an issue when using out-of-tree DTBs.

I'll take a look at possible fix.

Thanks for report, much appreciated!

Best regards,
Krzysztof

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-02-20 11:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-20 10:06 pinctrl: samsung: Out-of-bounds access through DT aliases Geert Uytterhoeven
2018-02-20 11:56 ` Krzysztof Kozlowski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).