From: Antonio Borneo <antonio.borneo@foss.st.com>
To: "Linus Walleij" <linus.walleij@linaro.org>,
"Maxime Coquelin" <mcoquelin.stm32@gmail.com>,
"Alexandre Torgue" <alexandre.torgue@foss.st.com>,
"Rob Herring" <robh@kernel.org>,
"Geert Uytterhoeven" <geert+renesas@glider.be>,
"Emil Renner Berthing" <emil.renner.berthing@canonical.com>,
"Valentin Caron" <valentin.caron@foss.st.com>,
"Dario Binacchi" <dario.binacchi@amarulasolutions.com>,
"Bernhard Rosenkränzer" <bero@baylibre.com>
Cc: Antonio Borneo <antonio.borneo@foss.st.com>,
<linux-gpio@vger.kernel.org>,
<linux-stm32@st-md-mailman.stormreply.com>,
<linux-arm-kernel@lists.infradead.org>,
<linux-kernel@vger.kernel.org>
Subject: [PATCH] pinctrl: stm32: fix array read out of bound
Date: Tue, 7 Nov 2023 12:05:20 +0100 [thread overview]
Message-ID: <20231107110520.4449-1-antonio.borneo@foss.st.com> (raw)
The existing code does not verify if the "tentative" index exceeds
the size of the array, causing out of bound read.
Issue identified with kasan.
Check the index before using it.
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names")
---
drivers/pinctrl/stm32/pinctrl-stm32.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index a73385a431de..56677bad10f7 100644
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1283,9 +1283,11 @@ static struct stm32_desc_pin *stm32_pctrl_get_desc_pin_from_gpio(struct stm32_pi
int i;
/* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */
- pin_desc = pctl->pins + stm32_pin_nb;
- if (pin_desc->pin.number == stm32_pin_nb)
- return pin_desc;
+ if (stm32_pin_nb < pctl->npins) {
+ pin_desc = pctl->pins + stm32_pin_nb;
+ if (pin_desc->pin.number == stm32_pin_nb)
+ return pin_desc;
+ }
/* Otherwise, loop all array to find the pin with the right number */
for (i = 0; i < pctl->npins; i++) {
base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
--
2.42.0
next reply other threads:[~2023-11-07 11:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 11:05 Antonio Borneo [this message]
2023-11-14 13:43 ` [PATCH] pinctrl: stm32: fix array read out of bound Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107110520.4449-1-antonio.borneo@foss.st.com \
--to=antonio.borneo@foss.st.com \
--cc=alexandre.torgue@foss.st.com \
--cc=bero@baylibre.com \
--cc=dario.binacchi@amarulasolutions.com \
--cc=emil.renner.berthing@canonical.com \
--cc=geert+renesas@glider.be \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-stm32@st-md-mailman.stormreply.com \
--cc=mcoquelin.stm32@gmail.com \
--cc=robh@kernel.org \
--cc=valentin.caron@foss.st.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).