dmaengine: stm32-dmamux: fix a potential buffer overflow - BMC/Intel-BMC/linux.git - Intel OpenBMC Linux kernel source tree (mirror)

diff options

author	Pierre-Yves MORDRET <pierre-yves.mordret@st.com>	2018-03-13 19:55:35 +0300
committer	Vinod Koul <vinod.koul@intel.com>	2018-03-22 08:21:35 +0300
commit	3e4543bf20531d1cdb8672d25b3f2ff6d3d07627 (patch)
tree	0e4ccf921f0c9f47e68e0f242596302e212e35be /security/device_cgroup.c
parent	0c8efd610b58cb23cefdfa12015799079aef94ae (diff)
download	linux-3e4543bf20531d1cdb8672d25b3f2ff6d3d07627.tar.xz

dmaengine: stm32-dmamux: fix a potential buffer overflow

The bitfield dma_inuse is allocated of size dma_requests bits, thus a valid bit address is from 0 to (dma_requests - 1). When find_first_zero_bit() fails, it returns dma_requests as invalid address. Using such address for the following set_bit() is incorrect and, if dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer overflow. Currently this driver is only used in DT stm32h743.dtsi where a safe value dma_requests=16 is not triggering the buffer overflow. Fixed by checking the return value of find_first_zero_bit() _before_ using it. Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com> Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com> Signed-off-by: Vinod Koul <vinod.koul@intel.com>

Diffstat (limited to 'security/device_cgroup.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: