Received: by 10.223.185.116 with SMTP id b49csp4851207wrg;
        Tue, 27 Feb 2018 03:50:55 -0800 (PST)
X-Google-Smtp-Source: AH8x224xN6UyJT6YB2uQy14LAO+BOiyL4ca5+FChwWKf220fAW2V68YOZL/Uiy4xaaKDMQfyQ5+V
X-Received: by 10.99.153.1 with SMTP id d1mr10952534pge.338.1519732255547;
        Tue, 27 Feb 2018 03:50:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519732255; cv=none;
        d=google.com; s=arc-20160816;
        b=P5MQcpiDZpWUhI4GKAxm65iD7TM8tmrddnRajYdPm00Nc7GXzeEu6az16TziBxJw6+
         sfn0VboVYdwmbFaKC3HR664V3PbCYODnao7cD3gNx+g0ooxVCVtF+h2+VM7L2JUW2OEj
         8i1p9nLWPvch/LvFqGXgJExk1+SbokqG8a3zvjrDlnN3YG+tdQceuX6rKKU8E18BYNQ0
         RYDux9JBcu8uE0BMFLWTBEMhaLKy8iiEFoQA2ffNFuI6ly/tWijLGeROjECxD59Vp/jx
         7sNwq1q6j24TrXW2gs2//2q5aFYYOXGGawT2ATLyWLo521aPQa0d5g10FunwZR82oGuf
         Tzzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=k7rlO5oGE37fvJESDfhsQoK5i5Pi/Kv6Dh04MbXT6T0=;
        b=VmCS94Z2hmhLbuOsTnX2FVEbXn+PiG+cDmto2IxAAs4pescKUW7pmJPwb4SQmBMnxW
         KYF7jY2rVY/fcLSDnUFd7NltYqS9FAlY62ehZFAERlHlF06IcFMelMA3e3wazFhGx4Dr
         FSJq5EdKq6j6qBVfWI4j7NajtBmTjyIEhdI0ZJvQ/nAeOp1NoolKGsf4AIBkWENXO/vI
         4aIgL/rMQnrGDsh3wUOSLLthdrn6SFr31ZX0Mao/MQ+QoL1VgrOef/WdrvEceDg2LRWY
         vjKYreT8GgKxkT2/cpzpq2/8nckqlM3yopLZZTP/YuBWFJFX7bBY01ty6Z9W3lF3EoeJ
         qd2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=FQy0VsEg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p7si2000629pff.80.2018.02.27.03.50.41;
        Tue, 27 Feb 2018 03:50:55 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=FQy0VsEg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752809AbeB0L13 (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Tue, 27 Feb 2018 06:27:29 -0500
Received: from mail-io0-f194.google.com ([209.85.223.194]:35087 "EHLO
        mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752444AbeB0L11 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Feb 2018 06:27:27 -0500
Received: by mail-io0-f194.google.com with SMTP id 30so20821494iog.2
        for <linux-kernel@vger.kernel.org>; Tue, 27 Feb 2018 03:27:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=k7rlO5oGE37fvJESDfhsQoK5i5Pi/Kv6Dh04MbXT6T0=;
        b=FQy0VsEg4zUM/gv8dpTqAxZMG0sWbNg794T33819WEU80W31aTR6W3Lo5z65tZvDy0
         W6UsMo8WDcRYC3HxcUAGioiscyfH6R0DFVYREe4Hm+QWTh5E4XzmWHLF5JtfSKeA4QBX
         /ZBE42Wma7KgCZ9+tJEUYjRHg2aDKbwTEBQng=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=k7rlO5oGE37fvJESDfhsQoK5i5Pi/Kv6Dh04MbXT6T0=;
        b=sQ1CiXJk43JpXU8yvt0e9SC2KSX5aelvJSdJ2MmAIDfYTHY33i65UWLCOcixi60kF2
         DOMPv269FgoxlLEW8ZgYbgvq6mgVkuxINjxx2QnUHp0DmOBqzbSOBpp79GE/VyVBQYxf
         xAsA8RteJBl5yvlyy2si6d1OMOuOqs4L9sLcGOrG/u88Gg5R/5mqLFiBFIKeTOoQcfbH
         oG8IbdO7VdCKTLhks35oaWF2qMKEaDDUi0h7A7HJG5ZVk/4pbpm01MYzj1cdczIgnQlH
         CI33uY2/wlzT9cWn8OlGPHRN03i3vqHSfAL2KIhGZ1X/svqo2U20bvvx+A8hcJzwdHBs
         CnRQ==
X-Gm-Message-State: APf1xPCvXrTyj0MHjXWyX7nARDCm9M/3j2oxkRgWJCbqXj8fWrc14Wxx
        KAfZg9K7t/5iTsjqrGjCcJRM55xZf/xygr1hMe2pkw==
X-Received: by 10.107.153.79 with SMTP id b76mr15436175ioe.192.1519730846834;
 Tue, 27 Feb 2018 03:27:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.91.10 with HTTP; Tue, 27 Feb 2018 03:27:26 -0800 (PST)
In-Reply-To: <1519389859-14947-1-git-send-email-geert+renesas@glider.be>
References: <1519389859-14947-1-git-send-email-geert+renesas@glider.be>
From:   Ulf Hansson <ulf.hansson@linaro.org>
Date:   Tue, 27 Feb 2018 12:27:26 +0100
Message-ID: <CAPDyKFrFKp7Bn+86jWN1t4Q7bLup0z3cnPM8zMMTdMTQLJSfQA@mail.gmail.com>
Subject: Re: [PATCH v2] mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
To:     Geert Uytterhoeven <geert+renesas@glider.be>
Cc:     Jaehoon Chung <jh80.chung@samsung.com>,
        "linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
        devicetree-compiler@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 23 February 2018 at 13:44, Geert Uytterhoeven
<geert+renesas@glider.be> wrote:
> The hs_timing_cfg[] array is indexed using a value derived from the
> "mshcN" alias in DT, which may lead to an out-of-bounds access.
>
> Fix this by adding a range check.
>
> Fixes: 361c7fe9b02eee7e ("mmc: dw_mmc-k3: add sd support for hi3660")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>

Thanks, applied for fixes!

Should we add a stable tag as well?

Kind regards
Uffe

> ---
> v2:
>   - Fix Fixes reference.
>
> There is another possible out-of-bounds access in
> drivers/mmc/host/dw_mmc.c:dw_mci_init_slot():
>
>     if (drv_data && drv_data->caps)
>             mmc->caps |= drv_data->caps[ctrl_id];
>
> With ctrl_id derived from "mshcN".
>
> Unfortunately the upper bound is not known at run-time, without adding
> such a field to struct dw_mci_drv_data first.
> ---
>  drivers/mmc/host/dw_mmc-k3.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/mmc/host/dw_mmc-k3.c b/drivers/mmc/host/dw_mmc-k3.c
> index 73fd75c3c824904d..75ae5803b0db24dd 100644
> --- a/drivers/mmc/host/dw_mmc-k3.c
> +++ b/drivers/mmc/host/dw_mmc-k3.c
> @@ -135,6 +135,9 @@ static int dw_mci_hi6220_parse_dt(struct dw_mci *host)
>         if (priv->ctrl_id < 0)
>                 priv->ctrl_id = 0;
>
> +       if (priv->ctrl_id >= TIMING_MODE)
> +               return -EINVAL;
> +
>         host->priv = priv;
>         return 0;
>  }
> --
> 2.7.4
>