summaryrefslogtreecommitdiff
path: root/fs/nls/nls_cp775.c
diff options
context:
space:
mode:
authorH. Nikolaus Schaller <hns@goldelico.com>2018-06-26 16:28:29 +0300
committerSebastian Reichel <sre@kernel.org>2018-07-06 19:40:34 +0300
commit932d47448c3caa0fa99e84d7f5bc302aa286efd8 (patch)
tree36b5965a6ea63bdec16c0056551533df38f90979 /fs/nls/nls_cp775.c
parentf2a42595f0865886a2d40524b0e9d15600848670 (diff)
downloadlinux-932d47448c3caa0fa99e84d7f5bc302aa286efd8.tar.xz
power: generic-adc-battery: fix out-of-bounds write when copying channel properties
We did have sporadic problems in the pinctrl framework during boot where a pin group name unexpectedly became NULL leading to a NULL dereference in strcmp. Detailled analysis of the failing cases did reveal that there were two devm allocated objects close to each other. The second one was the affected group_desc in pinmux and the first one was the psy_desc->properties buffer of the gab driver. Review of the gab code showed that the address calculation for one memcpy() is wrong. It does properties + sizeof(type) * index but C is defined to do the index multiplication already for pointer + integer additions. Hence the factor was applied twice and the memcpy() does write outside of the properties buffer. Sometimes it happened to be the pinctrl and triggered the strcmp(NULL). Anyways, it is overkill to use a memcpy() here instead of a simple assignment, which is easier to read and has less risk for wrong address calculations. So we change code to a simple assignment. If we initialize the index to the first free location, we can even remove the local variable 'properties'. This bug seems to exist right from the beginning in 3.7-rc1 in commit e60fea794e6e ("power: battery: Generic battery driver using IIO") Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com> Cc: stable@vger.kernel.org Fixes: e60fea794e6e ("power: battery: Generic battery driver using IIO") Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Diffstat (limited to 'fs/nls/nls_cp775.c')
0 files changed, 0 insertions, 0 deletions