Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1836051imm;
        Mon, 3 Sep 2018 10:40:58 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vdajr1861ZHlCH9g+4ctTMmYGy+9XjmCcAPg0fZmmmfA7mkJUvQqbUiXFuS14R0SwR5DTsW8
X-Received: by 2002:a63:5fc8:: with SMTP id t191-v6mr27460377pgb.183.1535996457964;
        Mon, 03 Sep 2018 10:40:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535996457; cv=none;
        d=google.com; s=arc-20160816;
        b=GzqCPQVegy05E+FxkVFoLI/jzsn/+QZkpD6TFtsPhI8GBJF7x9rekano77+N7EGuI4
         3Ni/lAB0+ZWHWajNW8SI1IOM8PxxirNHUHbXVDoo6BtZhdI7pKvovJYIQoCR86VmtJm5
         FYyywvylvNOm/DYI6o7wKWJ/tlFXlQZG+pYnygGGkwZKix1aOoQMNV0EH0DdTgR1wm8M
         rDtm5PoqZG+nkD6dFvz05/Nf20Ng4Qll8fx6EpMzlSNLpgOLJoHUZC1qD8EhPZyEJa+8
         TfcUmVSmlkWWrblMQT2ULmfke9CAjoq/Zk5A08TTFQ2FM+fkTBPswXOdSFODi14ZxoNG
         O6aQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=A9nTTw9jnEmiAAM9SBpvyHkFLpgCE2bt/6I6cSuie8E=;
        b=pokrW/jtmddi2dtu386qKf8nprHK7dgcZh/uAXMnB5FYgD3OS9/utjJqvoihIt4tAh
         MLIjPnWKK+E4K53JHgO8tGscxy3yM9srhvLD8F1oj6X/Cx9JvqAPpzgi8N/2tnO9Id9s
         j/8yIMWkby8G0H2MlHAZO0zQ9BjgzaT8BdTyo0BchT9gggXhmrcwG2DNtTbsSUgIzH6Y
         mb6a0ePOyk4R9hQJ8JpvTUChmB4+aL56lVgiKvHSslrpcYK4bUAudr5izp9RbOaCn1dr
         20DBqHSou2bmGrAa16Ar5UMvhAFaF8MRPJyC3aYWKzou3wLaMM1BeneO5JKFKzLXG9Yi
         MkTw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n10-v6si20341108pfb.316.2018.09.03.10.40.42;
        Mon, 03 Sep 2018 10:40:57 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731962AbeICWAu (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Mon, 3 Sep 2018 18:00:50 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:49288 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728885AbeICWAu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 Sep 2018 18:00:50 -0400
Received: from localhost (ip-213-127-74-90.ip.prioritytelecom.net [213.127.74.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 3E55AA95;
        Mon,  3 Sep 2018 17:39:38 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, "H. Nikolaus Schaller" <hns@goldelico.com>,
        Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Subject: [PATCH 4.18 118/123] power: generic-adc-battery: fix out-of-bounds write when copying channel properties
Date:   Mon,  3 Sep 2018 18:57:42 +0200
Message-Id: <20180903165724.484193109@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180903165719.499675257@linuxfoundation.org>
References: <20180903165719.499675257@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: H. Nikolaus Schaller <hns@goldelico.com>

commit 932d47448c3caa0fa99e84d7f5bc302aa286efd8 upstream.

We did have sporadic problems in the pinctrl framework during boot
where a pin group name unexpectedly became NULL leading to a NULL
dereference in strcmp.

Detailled analysis of the failing cases did reveal that there were
two devm allocated objects close to each other. The second one was
the affected group_desc in pinmux and the first one was the
psy_desc->properties buffer of the gab driver.

Review of the gab code showed that the address calculation for
one memcpy() is wrong. It does

	properties + sizeof(type) * index

but C is defined to do the index multiplication already for
pointer + integer additions. Hence the factor was applied twice
and the memcpy() does write outside of the properties buffer.
Sometimes it happened to be the pinctrl and triggered the strcmp(NULL).

Anyways, it is overkill to use a memcpy() here instead of a simple
assignment, which is easier to read and has less risk for wrong
address calculations. So we change code to a simple assignment.

If we initialize the index to the first free location, we can even
remove the local variable 'properties'.

This bug seems to exist right from the beginning in 3.7-rc1 in

commit e60fea794e6e ("power: battery: Generic battery driver using IIO")

Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: stable@vger.kernel.org
Fixes: e60fea794e6e ("power: battery: Generic battery driver using IIO")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/power/supply/generic-adc-battery.c |   14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

--- a/drivers/power/supply/generic-adc-battery.c
+++ b/drivers/power/supply/generic-adc-battery.c
@@ -241,10 +241,9 @@ static int gab_probe(struct platform_dev
 	struct power_supply_desc *psy_desc;
 	struct power_supply_config psy_cfg = {};
 	struct gab_platform_data *pdata = pdev->dev.platform_data;
-	enum power_supply_property *properties;
 	int ret = 0;
 	int chan;
-	int index = 0;
+	int index = ARRAY_SIZE(gab_props);
 
 	adc_bat = devm_kzalloc(&pdev->dev, sizeof(*adc_bat), GFP_KERNEL);
 	if (!adc_bat) {
@@ -278,8 +277,6 @@ static int gab_probe(struct platform_dev
 	}
 
 	memcpy(psy_desc->properties, gab_props, sizeof(gab_props));
-	properties = (enum power_supply_property *)
-			((char *)psy_desc->properties + sizeof(gab_props));
 
 	/*
 	 * getting channel from iio and copying the battery properties
@@ -293,15 +290,12 @@ static int gab_probe(struct platform_dev
 			adc_bat->channel[chan] = NULL;
 		} else {
 			/* copying properties for supported channels only */
-			memcpy(properties + sizeof(*(psy_desc->properties)) * index,
-					&gab_dyn_props[chan],
-					sizeof(gab_dyn_props[chan]));
-			index++;
+			psy_desc->properties[index++] = gab_dyn_props[chan];
 		}
 	}
 
 	/* none of the channels are supported so let's bail out */
-	if (index == 0) {
+	if (index == ARRAY_SIZE(gab_props)) {
 		ret = -ENODEV;
 		goto second_mem_fail;
 	}
@@ -312,7 +306,7 @@ static int gab_probe(struct platform_dev
 	 * as come channels may be not be supported by the device.So
 	 * we need to take care of that.
 	 */
-	psy_desc->num_properties = ARRAY_SIZE(gab_props) + index;
+	psy_desc->num_properties = index;
 
 	adc_bat->psy = power_supply_register(&pdev->dev, psy_desc, &psy_cfg);
 	if (IS_ERR(adc_bat->psy)) {