Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752465AbcD0MMl (ORCPT ); Wed, 27 Apr 2016 08:12:41 -0400 Received: from www.meduna.org ([92.240.244.38]:51163 "EHLO meduna.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751513AbcD0MMk (ORCPT ); Wed, 27 Apr 2016 08:12:40 -0400 X-Greylist: delayed 1147 seconds by postgrey-1.27 at vger.kernel.org; Wed, 27 Apr 2016 08:12:39 EDT To: linux-kernel@vger.kernel.org, "linux-arm-kernel@lists.infradead.org" From: Stanislav Meduna Subject: [PATCH] nvmem/mxs-ocotp: fix buffer overflow in read Message-ID: <201ccd58-8735-02d8-b4e4-9d2eda828fd8@meduna.org> Date: Wed, 27 Apr 2016 13:53:21 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Authenticated-User: stano@meduna.org X-Authenticator: dovecot_plain X-Spam-Score: -6.9 X-Spam-Score-Int: -68 X-Exim-Version: 4.72 (build at 13-Jul-2014 12:42:58) X-Date: 2016-04-27 13:53:28 X-Connected-IP: 78.141.77.45:61033 X-Message-Linecount: 47 X-Body-Linecount: 35 X-Message-Size: 1530 X-Body-Size: 1031 X-Received-Count: 1 X-Recipient-Count: 2 X-Local-Recipient-Count: 2 X-Local-Recipient-Defer-Count: 0 X-Local-Recipient-Fail-Count: 0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1030 Lines: 34 This patch fixes the issue where the mxs_ocotp_read is reading the ocotp in reg_size steps but decrements the remaining size by 1. The number of iterations is thus four times higher, overwriting the area behind the output buffer. Fixes: c01e9a11ab6f ("nvmem: add driver for ocotp in i.MX23 and i.MX28") --- drivers/nvmem/mxs-ocotp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/nvmem/mxs-ocotp.c b/drivers/nvmem/mxs-ocotp.c index 8ba19bb..2bb3c57 100644 --- a/drivers/nvmem/mxs-ocotp.c +++ b/drivers/nvmem/mxs-ocotp.c @@ -94,7 +94,7 @@ static int mxs_ocotp_read(void *context, const void *reg, size_t reg_size, if (ret) goto close_banks; - while (val_size) { + while (val_size >= reg_size) { if ((offset < OCOTP_DATA_OFFSET) || (offset % 16)) { /* fill up non-data register */ *buf = 0; @@ -103,7 +103,7 @@ static int mxs_ocotp_read(void *context, const void *reg, size_t reg_size, } buf++; - val_size--; + val_size -= reg_size; offset += reg_size; } -- 2.1.4