From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753816AbcEBN4Z (ORCPT ); Mon, 2 May 2016 09:56:25 -0400 Received: from mout.kundenserver.de ([212.227.126.133]:49625 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752110AbcEBN4S (ORCPT ); Mon, 2 May 2016 09:56:18 -0400 Subject: Re: [PATCH v2] nvmem/mxs-ocotp: fix buffer overflow in read References: <1f26dfe5-c75f-39df-e21e-77aeea408258@meduna.org> Cc: Stanislav Meduna , linux-kernel@vger.kernel.org, "linux-arm-kernel@lists.infradead.org" , Maxime Ripard To: Srinivas Kandagatla , Greg Kroah-Hartman From: Stefan Wahren Message-ID: <57275C69.9060902@i2se.com> Date: Mon, 2 May 2016 15:55:53 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <1f26dfe5-c75f-39df-e21e-77aeea408258@meduna.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:m/krix6ZF53pph2cmqJC6ELH1lWMGWMkL26lJuHCbCBqlPM5/0m jxp8EB0rsHpzXIjmqPLViLhQlj/8nAZL0d6UBEtVnDcsFAAOJNsSohXtOoqb59ySXvOfnxs cRBcVYWaYztOkgWvPNgXzVs9zJNcJYcS2U95WxK0K9n3eqRaaWjwT8u9lhSy+6e3n6km47q wdq8YQNpfFAfq3WRwfaag== X-UI-Out-Filterresults: notjunk:1;V01:K0:zyH63Y1pE94=:UNR/hSjv+wqd3j7aD/BPK9 4JsfZ1Otn0AdcNqrIGTXedjAffymtBE7HTon61Fp30QtO7WXRqfPQvtaPj/QW/9irJr8cjXh2 /gP/FUkH046pKjR0agMDrhM2HqwxMNyGOVSYIlGbmv83XedVjT7AZalhw9l7PETtfj++7OwyG J7soWdwJSCBtAiPKUfX1rscjfrW0uzBPwS6xB0uvVmuUWJgJGlefFHiRobBUYtFABR/JOof7X es7hokqNO8wHdhsPUMkg3HMHjVG7TRnVmoCHm+29Oou2WMpoNpxX4LgmIW37ltrUrAwHfS/vv QSuEwwx698yMJr09HxRrSNDjq4tghxVsFaOhaH03sJS4zZeaYSv/PYfV6UPwK94S80waVwTMv qG+bVmZEArv2oScyL7+TkDNiVihLyFu4UA3+Nw/hwDaW4BZQ+nGCnQ29zFVo/FJgi/AsdJcpo lVbRGnY/yQqi/0+n5E8BmTMobLQD6hRr4OaVevaiGcgXC9eNrwwQE3r13/7WEFlPqDfjyFaC1 waHBGFT/qMM/AiCr5PitjKPNpqdJfNiu2Lj/kYpKhj9ZrCqKonNwsW9y+UgU/uG5rxNJmCdPP yDNyp6pnye4im5W0uW4GHTR1rjtXKPCs04A2gi5MfreBw2n4oS+NbqF46HyQ5056lz1EXbqec rtW3iY9O77DJ8yfWVLAkynwU0wJ6Coz6Dlmbz4NBxfllqycUQD/EAWgDyKN+PuImRFOmEwniN pXEtEAtL1OnTqeMn Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Srinivas, hi Greg, Am 27.04.2016 um 14:39 schrieb Stanislav Meduna: > This patch fixes the issue where the mxs_ocotp_read is reading > the ocotp in reg_size steps but decrements the remaining size > by 1. The number of iterations is thus four times higher, > overwriting the area behind the output buffer. > > Fixes: c01e9a11ab6f ("nvmem: add driver for ocotp in i.MX23 and i.MX28") > Tested-by: Stefan Wahren > Signed-off-by: Stanislav Meduna any change to get this critical fix into 4.6? Regards Stefan > --- > drivers/nvmem/mxs-ocotp.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/nvmem/mxs-ocotp.c b/drivers/nvmem/mxs-ocotp.c > index 8ba19bb..2bb3c57 100644 > --- a/drivers/nvmem/mxs-ocotp.c > +++ b/drivers/nvmem/mxs-ocotp.c > @@ -94,7 +94,7 @@ static int mxs_ocotp_read(void *context, const void *reg, size_t reg_size, > if (ret) > goto close_banks; > > - while (val_size) { > + while (val_size >= reg_size) { > if ((offset < OCOTP_DATA_OFFSET) || (offset % 16)) { > /* fill up non-data register */ > *buf = 0; > @@ -103,7 +103,7 @@ static int mxs_ocotp_read(void *context, const void *reg, size_t reg_size, > } > > buf++; > - val_size--; > + val_size -= reg_size; > offset += reg_size; > } >