[PATCH] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1

[PATCH] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1

[Xiaolei Wang]

The config passed in by pad wakeup is 1, When num_configs is 1,
configs[1] should not be obtained, which will generate the
following memory out-of-bounds situation:

BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160
  Read size 8 at address ffff8000104c7558 by task sh/664
    CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1
     Hardware name: Freescale i.MX8QM MEK (DT)
  Call trace:
    dump_backtrace.part.0+0xe0/0xf0
    show stack+0x18/0x30
    dump_stack_lvl+0x64/0x80
    print report +0x154/0x458
    kasan_report+0xb8/0x100
    __asan_load8+0x80/0xac
    imx_pinconf_set_scu+0x9c/0x160
    imx_pinconf_set+0x6c/0x214
    pinconf_set_config+0x68/0x90
    pinctrl_gpio_set_config+0x138/0x170
    gpiochip_generic_config+0x44/0x60
    mxc_gpio_set_pad_wakeup+0x100/0x140
    mxc_gpio_noirq_suspend+0x50/0x74
    pm_generic_suspend_noirq+0x4c/0x70
    genpd_finish_suspend+0x174/0x260
    genpd_suspend_noirq+0x14/0x20
    dpm_run_callback.constprop.0+0x48/0xec
    __device_suspend_noirq+0x1a8/0x370
    dpm_noirq_suspend_devices+0x1cc/0x320
    dpm_suspend_noirq+0x7c/0x11c
    suspend_devices_and_enter+0x27c/0x760
    pm_suspend+0x36c/0x3e0
    state_store+0x90/0x120
    kobj_attr_store+0x48/0x64
    sysfs_kf_write+0x90/0xb0
    kernfs_fop_write_iter+0x1a0/0x2a0
    vfs_write+0x2b0/0x43c
    ksys_write+0xcc/0x180
    __arm64_sys_write+0x44/0x60
    invoke_syscall+0x60/0x190
    el0_svc_common.constprop.0+0x128/0x160
    do_el0_svc+0x40/0xf0
    el0_svc+0x2c/0x6c
    el0t_64_sync_handler+0xf4/0x120
    el0t_64_sync+0x18c/0x190

  Buggy address belongs to physical page:
  Page: 00000000c09aeabf refcount: 1 mapcount: 0 mapping: 0000000000000000 index: 0x0 pfn: 0x89df07
  memcg:ffff000811bdfd02
  Flags: 0xbfffc0000000000 (node=0|zone=2|lastcpupid=0xffff)
  Raw: 0bfffc00000000000000000000000000 dead 000000000122 00000000000000000
  Original: 0000000000000000000000000000000000000001ffffffffffff000811bdfd02
  Page dumped because: kasan: bad access detected

Fixes: f60c9eac54af ("gpio: mxc: enable pad wakeup on i.MX8x platforms")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
 drivers/pinctrl/freescale/pinctrl-scu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/pinctrl/freescale/pinctrl-scu.c b/drivers/pinctrl/freescale/pinctrl-scu.c
index ea261b6e7458..3b252d684d72 100644
--- a/drivers/pinctrl/freescale/pinctrl-scu.c
+++ b/drivers/pinctrl/freescale/pinctrl-scu.c
@@ -90,7 +90,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
 	struct imx_sc_msg_req_pad_set msg;
 	struct imx_sc_rpc_msg *hdr = &msg.hdr;
 	unsigned int mux = configs[0];
-	unsigned int conf = configs[1];
+	unsigned int conf;
 	unsigned int val;
 	int ret;
 
@@ -115,6 +115,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
 	 * Set mux and conf together in one IPC call
 	 */
 	WARN_ON(num_configs != 2);
+	conf = configs[1];
 
 	val = conf | BM_PAD_CTL_IFMUX_ENABLE | BM_PAD_CTL_GP_ENABLE;
 	val |= mux << BP_PAD_CTL_IFMUX;
-- 
2.25.1

Re: [PATCH] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1

[andy.shevchenko]

Mon, May 01, 2023 at 10:41:39PM +0800, Xiaolei Wang kirjoitti:
> The config passed in by pad wakeup is 1, When num_configs is 1,
> configs[1] should not be obtained, which will generate the
> following memory out-of-bounds situation:

> BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160
>   Read size 8 at address ffff8000104c7558 by task sh/664
>     CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1
>      Hardware name: Freescale i.MX8QM MEK (DT)
>   Call trace:

Please, read this
https://kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages
and update accordingly.

-- 
With Best Regards,
Andy Shevchenko