From mboxrd@z Thu Jan 1 00:00:00 1970 From: geert+renesas@glider.be (Geert Uytterhoeven) Date: Fri, 23 Feb 2018 14:38:32 +0100 Subject: [PATCH v2 4/9] serial: mxs-auart: Fix out-of-bounds access through serial port index In-Reply-To: <1519393117-31998-1-git-send-email-geert+renesas@glider.be> References: <1519393117-31998-1-git-send-email-geert+renesas@glider.be> List-ID: Message-ID: <1519393117-31998-5-git-send-email-geert+renesas@glider.be> To: linux-snps-arc@lists.infradead.org The auart_port[] array is indexed using a value derived from the "serialN" alias in DT, or from platform data, which may lead to an out-of-bounds access. Fix this by adding a range check. Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") Signed-off-by: Geert Uytterhoeven --- v2: - Fix Fixes reference, - Use ARRAY_SIZE(), - Update patch description for platform data. --- drivers/tty/serial/mxs-auart.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c index 079dc47aa142d8e1..caa8a41b6e71df9e 100644 --- a/drivers/tty/serial/mxs-auart.c +++ b/drivers/tty/serial/mxs-auart.c @@ -1663,6 +1663,10 @@ static int mxs_auart_probe(struct platform_device *pdev) s->port.line = pdev->id < 0 ? 0 : pdev->id; else if (ret < 0) return ret; + if (s->port.line >= ARRAY_SIZE(auart_port)) { + dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); + return -EINVAL; + } if (of_id) { pdev->id_entry = of_id->data; -- 2.7.4