* [PATCH] pinctrl: stm32: fix array read out of bound
@ 2023-11-07 11:05 Antonio Borneo
2023-11-14 13:43 ` Linus Walleij
0 siblings, 1 reply; 2+ messages in thread
From: Antonio Borneo @ 2023-11-07 11:05 UTC (permalink / raw)
To: Linus Walleij, Maxime Coquelin, Alexandre Torgue, Rob Herring,
Geert Uytterhoeven, Emil Renner Berthing, Valentin Caron,
Dario Binacchi, Bernhard Rosenkränzer
Cc: Antonio Borneo, linux-gpio, linux-stm32, linux-arm-kernel,
linux-kernel
The existing code does not verify if the "tentative" index exceeds
the size of the array, causing out of bound read.
Issue identified with kasan.
Check the index before using it.
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names")
---
drivers/pinctrl/stm32/pinctrl-stm32.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index a73385a431de..56677bad10f7 100644
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1283,9 +1283,11 @@ static struct stm32_desc_pin *stm32_pctrl_get_desc_pin_from_gpio(struct stm32_pi
int i;
/* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */
- pin_desc = pctl->pins + stm32_pin_nb;
- if (pin_desc->pin.number == stm32_pin_nb)
- return pin_desc;
+ if (stm32_pin_nb < pctl->npins) {
+ pin_desc = pctl->pins + stm32_pin_nb;
+ if (pin_desc->pin.number == stm32_pin_nb)
+ return pin_desc;
+ }
/* Otherwise, loop all array to find the pin with the right number */
for (i = 0; i < pctl->npins; i++) {
base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
--
2.42.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] pinctrl: stm32: fix array read out of bound
2023-11-07 11:05 [PATCH] pinctrl: stm32: fix array read out of bound Antonio Borneo
@ 2023-11-14 13:43 ` Linus Walleij
0 siblings, 0 replies; 2+ messages in thread
From: Linus Walleij @ 2023-11-14 13:43 UTC (permalink / raw)
To: Antonio Borneo
Cc: Maxime Coquelin, Alexandre Torgue, Rob Herring,
Geert Uytterhoeven, Emil Renner Berthing, Valentin Caron,
Dario Binacchi, Bernhard Rosenkränzer, linux-gpio,
linux-stm32, linux-arm-kernel, linux-kernel
On Tue, Nov 7, 2023 at 12:06 PM Antonio Borneo
<antonio.borneo@foss.st.com> wrote:
> The existing code does not verify if the "tentative" index exceeds
> the size of the array, causing out of bound read.
> Issue identified with kasan.
>
> Check the index before using it.
>
> Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
> Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names")
Patch applied for fixes.
And now I feel better about that I spent so much time porting Kasan to ARM32.
Yours,
Linus Walleij
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-11-14 13:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-07 11:05 [PATCH] pinctrl: stm32: fix array read out of bound Antonio Borneo
2023-11-14 13:43 ` Linus Walleij
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).