2017-08-01 16:05:46

by Anton Vasilyev

[permalink] [raw]
Subject: Buffer overread in pv88090-regulator.ko

Hello.

While searching for memory errors in Linux kernel I've come across
drivers/regulator/pv88090-regulator.ko module.

Buffer overread could occur at pv88090_i2c_probe():

If read from malicious device such values for conf2 and range
(e.g. 0x10000000 and 0x1000 for PV88090_ID_BUCK2) that
conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) &
PV88090_BUCK_VDAC_RANGE_MASK;
and
range = (range >>
(PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) &
PV88080_BUCK_VRANGE_GAIN_MASK;
become 1 then
index = ((range << 1) | conf2);
become 3, but index is used for dereference pv88090_buck_vol[3].

Should be index=3 considered as incorrect value and pv88090_i2c_probe()
must return error,
or pv88090_buck_vol[] should be expanded?

Found by Linux Driver Verification project (linuxtesting.org).

--
Anton Vasilyev
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: [email protected]


2017-08-02 02:44:08

by James Seong-Won Ban

[permalink] [raw]
Subject: RE: Buffer overread in pv88090-regulator.ko

Hi Anton,

I have not thought this driver should be loaded for any malicious device.
Anyway we will update it.

Regards,
James

> -----Original Message-----
> From: Anton Vasilyev [mailto:[email protected]]
> Sent: Wednesday, August 02, 2017 1:06 AM
> To: James Seong-Won Ban
> Cc: Liam Girdwood; Mark Brown; [email protected]; ldv-
> [email protected]
> Subject: Buffer overread in pv88090-regulator.ko
>
> Hello.
>
> While searching for memory errors in Linux kernel I've come across
> drivers/regulator/pv88090-regulator.ko module.
>
> Buffer overread could occur at pv88090_i2c_probe():
>
> If read from malicious device such values for conf2 and range (e.g. 0x10000000
> and 0x1000 for PV88090_ID_BUCK2) that
> conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) &
> PV88090_BUCK_VDAC_RANGE_MASK; and
> range = (range >>
> (PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) &
> PV88080_BUCK_VRANGE_GAIN_MASK; become 1 then
> index = ((range << 1) | conf2); become 3, but index is used for
> dereference pv88090_buck_vol[3].
>
> Should be index=3 considered as incorrect value and pv88090_i2c_probe() must
> return error, or pv88090_buck_vol[] should be expanded?
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> --
> Anton Vasilyev
> Linux Verification Center, ISPRAS
> web: http://linuxtesting.org
> e-mail: [email protected]