On Tue, Jun 03, 2014 at 07:29:10PM +0000, Linux Kernel wrote:
> Gitweb: http://git.kernel.org/linus/;a=commit;h=c6466950e917890be3050171f6745ccb9d91d35f
> Commit: c6466950e917890be3050171f6745ccb9d91d35f
> Parent: 9e1e726311830bc5b8b568d5178f6a52c357fb6e
> Refname: refs/heads/next
> Author: Matt Porter <[email protected]>
> AuthorDate: Wed Apr 23 19:21:32 2014 -0400
> Committer: Lee Jones <[email protected]>
> CommitDate: Wed May 21 10:40:16 2014 +0100
>
> regulator: bcm590xx: Add support for regulators on secondary I2C slave
>
> The bcm590xx MFD driver now exposes a secondary regmap descriptor
> making the registers for regulators on the secondary I2C slave address
> available. Add support for GPLDO1-6 and VBUS regulators found within
> this register range.
> -#define BCM590XX_NUM_REGS 20
> +#define BCM590XX_NUM_REGS 27
Coverity picked up that this change has introduced a out of bounds read.
The loop in bcm590xx_probe iterates from 0 to NUM_REGS,
but the bcm590xx_regs struct it iterates over using the ptr 'info' is only 26
elements.
Dave
On Tue, 10 Jun 2014, Dave Jones wrote:
> On Tue, Jun 03, 2014 at 07:29:10PM +0000, Linux Kernel wrote:
> > Gitweb: http://git.kernel.org/linus/;a=commit;h=c6466950e917890be3050171f6745ccb9d91d35f
> > Commit: c6466950e917890be3050171f6745ccb9d91d35f
> > Parent: 9e1e726311830bc5b8b568d5178f6a52c357fb6e
> > Refname: refs/heads/next
> > Author: Matt Porter <[email protected]>
> > AuthorDate: Wed Apr 23 19:21:32 2014 -0400
> > Committer: Lee Jones <[email protected]>
> > CommitDate: Wed May 21 10:40:16 2014 +0100
> >
> > regulator: bcm590xx: Add support for regulators on secondary I2C slave
> >
> > The bcm590xx MFD driver now exposes a secondary regmap descriptor
> > making the registers for regulators on the secondary I2C slave address
> > available. Add support for GPLDO1-6 and VBUS regulators found within
> > this register range.
>
> > -#define BCM590XX_NUM_REGS 20
> > +#define BCM590XX_NUM_REGS 27
>
> Coverity picked up that this change has introduced a out of bounds read.
> The loop in bcm590xx_probe iterates from 0 to NUM_REGS,
> but the bcm590xx_regs struct it iterates over using the ptr 'info' is only 26
> elements.
Nice little tool. :)
Matt, I assume you'll fix this yourself?
--
Lee Jones
Linaro STMicroelectronics Landing Team Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog
On Mon, Jun 16, 2014 at 09:06:01AM +0100, Lee Jones wrote:
> On Tue, 10 Jun 2014, Dave Jones wrote:
> > On Tue, Jun 03, 2014 at 07:29:10PM +0000, Linux Kernel wrote:
> > > Gitweb: http://git.kernel.org/linus/;a=commit;h=c6466950e917890be3050171f6745ccb9d91d35f
> > > Commit: c6466950e917890be3050171f6745ccb9d91d35f
> > > Parent: 9e1e726311830bc5b8b568d5178f6a52c357fb6e
> > > Refname: refs/heads/next
> > > Author: Matt Porter <[email protected]>
> > > AuthorDate: Wed Apr 23 19:21:32 2014 -0400
> > > Committer: Lee Jones <[email protected]>
> > > CommitDate: Wed May 21 10:40:16 2014 +0100
> > >
> > > regulator: bcm590xx: Add support for regulators on secondary I2C slave
> > >
> > > The bcm590xx MFD driver now exposes a secondary regmap descriptor
> > > making the registers for regulators on the secondary I2C slave address
> > > available. Add support for GPLDO1-6 and VBUS regulators found within
> > > this register range.
> >
> > > -#define BCM590XX_NUM_REGS 20
> > > +#define BCM590XX_NUM_REGS 27
> >
> > Coverity picked up that this change has introduced a out of bounds read.
> > The loop in bcm590xx_probe iterates from 0 to NUM_REGS,
> > but the bcm590xx_regs struct it iterates over using the ptr 'info' is only 26
> > elements.
>
> Nice little tool. :)
Indeed
> Matt, I assume you'll fix this yourself?
Yes, we actually found this from functional tests before Dave's coverity
run found it. Graham Williams is going to post a patch that fixes this
issue since he noticed it while working on some dwc2 support.
-Matt