2015-06-28 09:56:11

by Daniel Thompson

Subject: [PATCH] clk: stm32: Fix out-by-one error path in the index lookup

If stm32f4_rcc_lookup() is called with primary == 0 and secondary == 192
then it will read beyond the end of the table array due to an out-by-one
error in the range check.

In addition to the fixing the inequality we also modify the r.h.s. to
make it even more explicit that we are comparing against the size of
table in bits.

Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Daniel Thompson <[email protected]>
---
drivers/clk/clk-stm32f4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c
index c825bbd..148c151 100644
--- a/drivers/clk/clk-stm32f4.c
+++ b/drivers/clk/clk-stm32f4.c
@@ -268,7 +268,7 @@ static int stm32f4_rcc_lookup_clk_idx(u8 primary, u8 secondary)
memcpy(table, stm32f42xx_gate_map, sizeof(table));

/* only bits set in table can be used as indices */
- if (WARN_ON(secondary > 8 * sizeof(table) ||
+ if (WARN_ON(secondary >= BITS_PER_BYTE * sizeof(table) ||
0 == (table[BIT_ULL_WORD(secondary)] &
BIT_ULL_MASK(secondary))))
return -EINVAL;
--
2.4.3

2015-06-29 08:50:57

by Maxime Coquelin

Subject: Re: [PATCH] clk: stm32: Fix out-by-one error path in the index lookup

Hi Daniel,

2015-06-28 11:55 GMT+02:00 Daniel Thompson <[email protected]>:
> If stm32f4_rcc_lookup() is called with primary == 0 and secondary == 192
> then it will read beyond the end of the table array due to an out-by-one
> error in the range check.
>
> In addition to the fixing the inequality we also modify the r.h.s. to
> make it even more explicit that we are comparing against the size of
> table in bits.
>
> Reported-by: Dan Carpenter <[email protected]>
> Signed-off-by: Daniel Thompson <[email protected]>
> ---
> drivers/clk/clk-stm32f4.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>

Thanks for the patch.

Acked-by: Maxime Coquelin <[email protected]>

Regards,
Maxime

2015-07-02 16:56:25

by Stephen Boyd

Subject: Re: [PATCH] clk: stm32: Fix out-by-one error path in the index lookup

On 06/28, Daniel Thompson wrote:
> If stm32f4_rcc_lookup() is called with primary == 0 and secondary == 192
> then it will read beyond the end of the table array due to an out-by-one
> error in the range check.
>
> In addition to the fixing the inequality we also modify the r.h.s. to
> make it even more explicit that we are comparing against the size of
> table in bits.
>
> Reported-by: Dan Carpenter <[email protected]>
> Signed-off-by: Daniel Thompson <[email protected]>
> ---

Applied to clk-fixes

--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project