Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2234495imm; Thu, 7 Jun 2018 07:28:49 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLazAa+ml2PTRqWkgTTGcHKU/0Erz7fVxoMXtS1xXgeAJ5fcnxnNkFvz0E9T1+bOTWTl6Zx X-Received: by 2002:a17:902:5ac8:: with SMTP id g8-v6mr2247634plm.221.1528381729120; Thu, 07 Jun 2018 07:28:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528381729; cv=none; d=google.com; s=arc-20160816; b=tcAWZ4JWGYMzxzZrKyaL/0ETBaCXSQeeJ/DEQ4/KTiO5jqk5h9lY+nOXZMb99nusqD K8B+6w+dE8EIrThWWmmV3oq5wenVDzyG4zWwexCu3QnItGPJiehyqqy2k+sYKwIWCTgz eV/tys5xEOdzfS5MHszCo09O8I8YP3cev6axdXkNteeNyfzUtjSSBSU0gqE0q2EsLH2K 50npauSrZadrR5G6B0/NqlTsD5BfLeJHLu4cOkvy+gwaVu+/ZqT6wFwuiZGt0JQrHM0+ Z2GFfmMiQcOnLGowUtguIzho/vy+Z+Ef9tlNBQbxEJAsPI24dbhxQhhWDnlhefKypE65 SWYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=hD82oAXaaelbViY0qC3KWdTbuxGXJbt/pLmG3pWm31c=; b=ecVqWNbYKDcIBVDJLGSMs1GmOxhQmlMm+FgxXvFpto5QiO8wFdczgclB1LoYdcH3cP CMni3KIWJ+oRnx56OpdhurBVjrZbW5ScUwfByIqlJVZ/PckYFfb3O2A65Po4JVBCIu21 ++LDEe2BdQExva2goXEQwHEz6bEqgqbdeg9x7IK14o7ht9uJUptT0NtyPGVqvOEg+hUu fvToVIurPJeFUHFuhjQhnnM/Whs1oIsBVbBUMW7xNo55WEOTzW9q3aZrfBnYPpYWkx7K XwuwwfLW4DMxrxoBvx9xCkPhaPPnm3B4495cPPWdJw4eILYqGs4fYOv3UJqXaKRfde1a K5Hg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si54097247plz.364.2018.06.07.07.28.34; Thu, 07 Jun 2018 07:28:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933527AbeFGO02 (ORCPT + 99 others); Thu, 7 Jun 2018 10:26:28 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:40170 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932814AbeFGO0Z (ORCPT ); Thu, 7 Jun 2018 10:26:25 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbX-0005Zn-9z; Thu, 07 Jun 2018 15:09:31 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvbA-00039v-HK; Thu, 07 Jun 2018 15:09:08 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Ulf Hansson" , "Geert Uytterhoeven" , "Shawn Lin" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 303/410] mmc: dw_mmc: Fix out-of-bounds access for slot's caps In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Shawn Lin commit 0d84b9e5631d923744767dc6608672df906dd092 upstream. Add num_caps field for dw_mci_drv_data to validate the controller id from DT alias and non-DT ways. Reported-by: Geert Uytterhoeven Signed-off-by: Shawn Lin Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks") Signed-off-by: Ulf Hansson [bwh: Backported to 3.16: - Drop changes to dw_mmc-{k3,rockchip,zx}.c - Adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/mmc/host/dw_mmc-exynos.c +++ b/drivers/mmc/host/dw_mmc-exynos.c @@ -394,6 +394,7 @@ static unsigned long exynos_dwmmc_caps[4 static const struct dw_mci_drv_data exynos_drv_data = { .caps = exynos_dwmmc_caps, + .num_caps = ARRAY_SIZE(exynos_dwmmc_caps), .init = dw_mci_exynos_priv_init, .setup_clock = dw_mci_exynos_setup_clock, .prepare_command = dw_mci_exynos_prepare_command, --- a/drivers/mmc/host/dw_mmc.c +++ b/drivers/mmc/host/dw_mmc.c @@ -2064,8 +2064,15 @@ static int dw_mci_init_slot_caps(struct } else { ctrl_id = to_platform_device(host->dev)->id; } - if (drv_data && drv_data->caps) + + if (drv_data && drv_data->caps) { + if (ctrl_id >= drv_data->num_caps) { + dev_err(host->dev, "invalid controller id %d\n", + ctrl_id); + return -EINVAL; + } mmc->caps |= drv_data->caps[ctrl_id]; + } if (host->pdata->caps2) mmc->caps2 = host->pdata->caps2; --- a/drivers/mmc/host/dw_mmc.h +++ b/drivers/mmc/host/dw_mmc.h @@ -237,6 +237,7 @@ struct dw_mci_tuning_data { /** * dw_mci driver data - dw-mshc implementation specific driver data. * @caps: mmc subsystem specified capabilities of the controller(s). + * @num_caps: number of capabilities specified by @caps. * @init: early implementation specific initialization. * @setup_clock: implementation specific clock configuration. * @prepare_command: handle CMD register extensions. @@ -250,6 +251,7 @@ struct dw_mci_tuning_data { */ struct dw_mci_drv_data { unsigned long *caps; + u32 num_caps; int (*init)(struct dw_mci *host); int (*setup_clock)(struct dw_mci *host); void (*prepare_command)(struct dw_mci *host, u32 *cmdr);