From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ian Abbott <abbotti@mev.co.uk>
Subject: [PATCH 4.14 53/64] staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
Date: Mon, 27 Jul 2020 16:04:32 +0200 [thread overview]
Message-ID: <20200727134913.795271919@linuxfoundation.org> (raw)
In-Reply-To: <20200727134911.020675249@linuxfoundation.org>
From: Ian Abbott <abbotti@mev.co.uk>
commit fc846e9db67c7e808d77bf9e2ef3d49e3820ce5d upstream.
The `INSN_CONFIG` comedi instruction with sub-instruction code
`INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is
used as a right shift amount for other bitmask values without being
checked. Shift amounts greater than or equal to 32 will result in
undefined behavior. Add code to deal with this, adjusting the checks
for invalid channels so that enabled channel bits that would have been
lost by shifting are also checked for validity. Only channels 0 to 15
are valid.
Fixes: a8c66b684efaf ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
Cc: <stable@vger.kernel.org> #4.0+: ef75e14a6c93: staging: comedi: verify array index is correct before using it
Cc: <stable@vger.kernel.org> #4.0+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20200717145257.112660-5-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/comedi/drivers/addi_apci_1500.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/drivers/staging/comedi/drivers/addi_apci_1500.c
+++ b/drivers/staging/comedi/drivers/addi_apci_1500.c
@@ -461,13 +461,14 @@ static int apci1500_di_cfg_trig(struct c
struct apci1500_private *devpriv = dev->private;
unsigned int trig = data[1];
unsigned int shift = data[3];
- unsigned int hi_mask = data[4] << shift;
- unsigned int lo_mask = data[5] << shift;
- unsigned int chan_mask = hi_mask | lo_mask;
- unsigned int old_mask = (1 << shift) - 1;
+ unsigned int hi_mask;
+ unsigned int lo_mask;
+ unsigned int chan_mask;
+ unsigned int old_mask;
unsigned int pm;
unsigned int pt;
unsigned int pp;
+ unsigned int invalid_chan;
if (trig > 1) {
dev_dbg(dev->class_dev,
@@ -475,7 +476,20 @@ static int apci1500_di_cfg_trig(struct c
return -EINVAL;
}
- if (chan_mask > 0xffff) {
+ if (shift <= 16) {
+ hi_mask = data[4] << shift;
+ lo_mask = data[5] << shift;
+ old_mask = (1U << shift) - 1;
+ invalid_chan = (data[4] | data[5]) >> (16 - shift);
+ } else {
+ hi_mask = 0;
+ lo_mask = 0;
+ old_mask = 0xffff;
+ invalid_chan = data[4] | data[5];
+ }
+ chan_mask = hi_mask | lo_mask;
+
+ if (invalid_chan) {
dev_dbg(dev->class_dev, "invalid digital trigger channel\n");
return -EINVAL;
}
next prev parent reply other threads:[~2020-07-27 14:41 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 14:03 [PATCH 4.14 00/64] 4.14.190-rc1 review Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 01/64] gpio: arizona: handle pm_runtime_get_sync failure case Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 02/64] gpio: arizona: put pm_runtime in case of failure Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 03/64] pinctrl: amd: fix npins for uart0 in kerncz_groups Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 04/64] mac80211: allow rx of mesh eapol frames with default rx key Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 05/64] scsi: scsi_transport_spi: Fix function pointer check Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 06/64] xtensa: fix __sync_fetch_and_{and,or}_4 declarations Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 07/64] xtensa: update *pos in cpuinfo_op.next Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 08/64] drivers/net/wan/lapbether: Fixed the value of hard_header_len Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 09/64] net: sky2: initialize return of gm_phy_read Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 10/64] drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 11/64] irqdomain/treewide: Keep firmware node unconditionally allocated Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 12/64] SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO compeletion") Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 13/64] spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when its not ours Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 14/64] IB/umem: fix reference count leak in ib_umem_odp_get() Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 15/64] uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix GDB regression Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 16/64] ALSA: info: Drop WARN_ON() from buffer NULL sanity check Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 17/64] ASoC: rt5670: Correct RT5670_LDO_SEL_MASK Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 18/64] btrfs: fix double free on ulist after backref resolution failure Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 19/64] btrfs: fix mount failure caused by race with umount Greg Kroah-Hartman
2020-07-27 14:03 ` [PATCH 4.14 20/64] btrfs: fix page leaks after failure to lock page for delalloc Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 21/64] bnxt_en: Fix race when modifying pause settings Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 22/64] hippi: Fix a size used in a pci_free_consistent() in an error handling path Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 23/64] ax88172a: fix ax88172a_unbind() failures Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 24/64] net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual configuration Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 25/64] drm: sun4i: hdmi: Fix inverted HPD result Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 26/64] net: smc91x: Fix possible memory leak in smc_drv_probe() Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 27/64] bonding: check error value of register_netdevice() immediately Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 28/64] mlxsw: destroy workqueue when trap_register in mlxsw_emad_init Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 29/64] ipvs: fix the connection sync failed in some cases Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 30/64] i2c: rcar: always clear ICSAR to avoid side effects Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 31/64] bonding: check return value of register_netdevice() in bond_newlink() Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 32/64] serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 33/64] scripts/decode_stacktrace: strip basepath from all paths Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 34/64] HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 35/64] HID: apple: Disable Fn-key key-re-mapping on clone keyboards Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 36/64] dmaengine: tegra210-adma: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 37/64] Input: add `SW_MACHINE_COVER` Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 38/64] spi: mediatek: use correct SPI_CFG2_REG MACRO Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 39/64] regmap: dev_get_regmap_match(): fix string comparison Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 40/64] hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 41/64] dmaengine: ioat setting ioat timeout as module parameter Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 42/64] Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 43/64] usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init() Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 44/64] arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 45/64] x86: math-emu: Fix up cmp insn for clang ias Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 46/64] binder: Dont use mmput() from shrinker function Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 47/64] usb: xhci-mtk: fix the failure of bandwidth allocation Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 48/64] usb: xhci: Fix ASM2142/ASM3142 DMA addressing Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 49/64] Revert "cifs: Fix the target file was deleted when rename failed." Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 50/64] staging: wlan-ng: properly check endpoint types Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 51/64] staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 52/64] staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support Greg Kroah-Hartman
2020-07-27 14:04 ` Greg Kroah-Hartman [this message]
2020-07-27 14:04 ` [PATCH 4.14 54/64] staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 55/64] serial: 8250: fix null-ptr-deref in serial8250_start_tx() Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 56/64] serial: 8250_mtk: Fix high-speed baud rates clamping Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 57/64] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 58/64] vt: Reject zero-sized screen buffer size Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 59/64] Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 60/64] mm/memcg: fix refcount error while moving and swapping Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 61/64] io-mapping: indicate mapping failure Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 62/64] parisc: Add atomic64_set_release() define to avoid CPU soft lockups Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 63/64] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb Greg Kroah-Hartman
2020-07-27 14:04 ` [PATCH 4.14 64/64] ath9k: Fix regression with Atheros 9271 Greg Kroah-Hartman
2020-07-28 1:40 ` [PATCH 4.14 00/64] 4.14.190-rc1 review Shuah Khan
2020-07-28 12:43 ` Naresh Kamboju
2020-07-28 12:45 ` Thierry Reding
2020-07-28 18:22 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200727134913.795271919@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=abbotti@mev.co.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).