Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751928AbdHBCoI (ORCPT ); Tue, 1 Aug 2017 22:44:08 -0400 Received: from mail1.bemta5.messagelabs.com ([195.245.231.147]:54186 "EHLO mail1.bemta5.messagelabs.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751655AbdHBCoE (ORCPT ); Tue, 1 Aug 2017 22:44:04 -0400 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKKsWRWlGSWpSXmKPExsUS3ulwWLfYpjH S4MIVAYupD5+wWSzv7mKx+Halg8ni8q45bBbd83McWD12zrrL7jHj31RGj02rOtk87rz+y+rx eZNcAGsUa2ZeUn5FAmvGjMNv2Qre81fs3jGDuYHxCn8XIxeHkMASRol3DReYuxg5OdgEbCQe7 GtnBLFFBNQlpj5oYgYpYhb4wyjRPfsUO0hCWMBEYt3zqcwQRaYSa783MUHYRhLtLzeAxVkEVC S2Nd9l6WLk4OAVCJDY3W4JEhYCmv//3S+w+ZwCthLLj79iAilhBCr/sokfJMwsIC5x68l8sIk SAgISS/acZ4awRSVePv7HCmHLS+ya/RQqbi/x+t47FghbX2L1jh5GCNtQYtW0A1Bxc4lvS78w gqxiFtCUWL9LH2KVosSU7odgT/EKCEqcnPmEZQKj+CwkV8xC6JiFpGMWko4FjCyrGDWKU4vKU ot0DY30kooy0zNKchMzc3QNDUz1clOLixPTU3MSk4r1kvNzNzECo5QBCHYw9s1yPsQoycGkJM qr2FMfKcSXlJ9SmZFYnBFfVJqTWnyIUYaDQ0mCV9S6MVJIsCg1PbUiLTMHmC5g0hIcPEoivM8 tgNK8xQWJucWZ6RCpU4y6HFt+n/jOJMSSl5+XKiXOe9IKqEgApCijNA9uBCx1XWKUlRLmZQQ6 SoinILUoN7MEVf4VozgHo5IwrxvIJTyZeSVwm14BHcEEdIRkaS3IESWJCCmpBkalhKTdLf5xb Qevmfi/YbrTdlBQrjloaiHHXVejgu88BRsuuu0RF15VbMgjw/bPcPYjr9bJf95IThB4lnS+cf fGnNfME2LtFlXv39lgd23x27zjc0xO3jJf65S1qrvcrc6NOXfS46szHx8z/5aUJe28coang8F 2ninz/UMijl/U9pDzEZgnHaXEUpyRaKjFXFScCABp0kklWAMAAA== X-Env-Sender: James.Ban.opensource@diasemi.com X-Msg-Ref: server-3.tower-180.messagelabs.com!1501641843!104135641!1 X-Originating-IP: [87.137.64.195] X-StarScan-Received: X-StarScan-Version: 9.4.25; banners=-,-,- X-VirusChecked: Checked From: James Seong-Won Ban To: Anton Vasilyev CC: Liam Girdwood , Mark Brown , "linux-kernel@vger.kernel.org" , "ldv-project@linuxtesting.org" , "Eric Hyeung Dong Jeong" Subject: RE: Buffer overread in pv88090-regulator.ko Thread-Topic: Buffer overread in pv88090-regulator.ko Thread-Index: AQHTCuAIHEz+VrGYJE2YEptBq+XaEaJwW+mg Date: Wed, 2 Aug 2017 02:44:01 +0000 Message-ID: <0ACAE736BB7A70499F1D8D5E6AC1854C0337FB3346@NB-EX-MBX01.diasemi.com> References: In-Reply-To: Accept-Language: ko-KR, de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.95.26.25] x-kse-attachmentfiltering-interceptor-info: protection disabled x-kse-serverinfo: NB-EX-CASHUB02.diasemi.com, 9 x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean, bases: 02.08.2017 00:04:00 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id v722iDwf014184 Content-Length: 1460 Lines: 43 Hi Anton, I have not thought this driver should be loaded for any malicious device. Anyway we will update it. Regards, James > -----Original Message----- > From: Anton Vasilyev [mailto:vasilyev@ispras.ru] > Sent: Wednesday, August 02, 2017 1:06 AM > To: James Seong-Won Ban > Cc: Liam Girdwood; Mark Brown; linux-kernel@vger.kernel.org; ldv- > project@linuxtesting.org > Subject: Buffer overread in pv88090-regulator.ko > > Hello. > > While searching for memory errors in Linux kernel I've come across > drivers/regulator/pv88090-regulator.ko module. > > Buffer overread could occur at pv88090_i2c_probe(): > > If read from malicious device such values for conf2 and range (e.g. 0x10000000 > and 0x1000 for PV88090_ID_BUCK2) that > conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) & > PV88090_BUCK_VDAC_RANGE_MASK; and > range = (range >> > (PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) & > PV88080_BUCK_VRANGE_GAIN_MASK; become 1 then > index = ((range << 1) | conf2); become 3, but index is used for > dereference pv88090_buck_vol[3]. > > Should be index=3 considered as incorrect value and pv88090_i2c_probe() must > return error, or pv88090_buck_vol[] should be expanded? > > Found by Linux Driver Verification project (linuxtesting.org). > > -- > Anton Vasilyev > Linux Verification Center, ISPRAS > web: http://linuxtesting.org > e-mail: vasilyev@ispras.ru