Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2991452imu;
        Sun, 9 Dec 2018 14:29:46 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Xcw1Ov4J/mCpUB1UQB/Jm3IhBDf0dl/3s2Lm80pWvkfSoHSs78vAf/4GwwWgDsGIYj7q4X
X-Received: by 2002:a63:c942:: with SMTP id y2mr8768224pgg.331.1544394586238;
        Sun, 09 Dec 2018 14:29:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544394586; cv=none;
        d=google.com; s=arc-20160816;
        b=an/iyLbRLLB56+vFPCMFy4k6PHC71Z97G+8KBvGLHzJm6ppsVEzJk7i74yy/0DO4KB
         vWKLgQ1bB2yO0M+xzWZM1Axn89g6C3TWeJV0YDwJIMeZe72gQnXqN25SLaupeYU694p8
         mI3VhO/c5taMLHaE1rpmmh+Sk6T7HqjdDUhQLQ2yLqLCWsmfjcsI8BBQAJ2AAVSHAKnN
         TxIr5TgppOncs+4/42Aovgn/7QXdBHiqbQan5h+VpHrIHOjbjCxVIPUgDx4zoyzwzI3c
         kUXky8CSAt2MKKpCpSlOJS5z3wLXeSBACMFCnUtJKUAJM5NXTYmysmW+QP9+ysdLVtcX
         2OOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=/vBQv3RQDAiBnCE/V+lKrECikv9DGhgVGo/C0D7jHew=;
        b=n3k5FqmRub/hnzWms4QdnkJ4RBgmd50vsx/bGuBap416MAcBpnRFuOPx0OwD1JYXP0
         p4s7KB476I5xHqM/SGJjtz94D+N8Zo4Y94U6zPM9gSxYVc/5YxUm9GCJo/6G//JJjSfz
         BIGcoP6rpf8lGY6KhBjs0mGKHZxrTG396wKKI943ekc/3zjHvvaNridVOg59BdDS1ObS
         wi6H5iTwiDEELykH4KUSMRvEzKuGPH0/pYXNqykh8zF7NcpMO/s80Sc8AdGI+v+u5k1Q
         lKEscdM9Y8T2XZx7I7NaKlcRSUnztEI0rErivjZK8Jp/pNoEVmfl0RZC7lTQyPneT/Ti
         iMRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i13si7670264pgi.260.2018.12.09.14.29.31;
        Sun, 09 Dec 2018 14:29:46 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728843AbeLIW16 (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Sun, 9 Dec 2018 17:27:58 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34642 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726373AbeLIVzL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 9 Dec 2018 16:55:11 -0500
Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW72b-0002ic-J7; Sun, 09 Dec 2018 21:55:09 +0000
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW72Y-0003E6-Pd; Sun, 09 Dec 2018 21:55:06 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "H. Nikolaus Schaller" <hns@goldelico.com>,
        "Sebastian Reichel" <sebastian.reichel@collabora.co.uk>
Date:   Sun, 09 Dec 2018 21:50:33 +0000
Message-ID: <lsq.1544392233.170902977@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 025/328] power: generic-adc-battery: fix
 out-of-bounds write when copying channel properties
In-Reply-To: <lsq.1544392232.713909046@decadent.org.uk>
X-SA-Exim-Connect-IP: 81.174.156.145
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.62-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "H. Nikolaus Schaller" <hns@goldelico.com>

commit 932d47448c3caa0fa99e84d7f5bc302aa286efd8 upstream.

We did have sporadic problems in the pinctrl framework during boot
where a pin group name unexpectedly became NULL leading to a NULL
dereference in strcmp.

Detailled analysis of the failing cases did reveal that there were
two devm allocated objects close to each other. The second one was
the affected group_desc in pinmux and the first one was the
psy_desc->properties buffer of the gab driver.

Review of the gab code showed that the address calculation for
one memcpy() is wrong. It does

	properties + sizeof(type) * index

but C is defined to do the index multiplication already for
pointer + integer additions. Hence the factor was applied twice
and the memcpy() does write outside of the properties buffer.
Sometimes it happened to be the pinctrl and triggered the strcmp(NULL).

Anyways, it is overkill to use a memcpy() here instead of a simple
assignment, which is easier to read and has less risk for wrong
address calculations. So we change code to a simple assignment.

If we initialize the index to the first free location, we can even
remove the local variable 'properties'.

This bug seems to exist right from the beginning in 3.7-rc1 in

commit e60fea794e6e ("power: battery: Generic battery driver using IIO")

Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Fixes: e60fea794e6e ("power: battery: Generic battery driver using IIO")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
[bwh: Backported to 3.16:
 - s/psy_desc/psy/g
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/power/generic-adc-battery.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

--- a/drivers/power/generic-adc-battery.c
+++ b/drivers/power/generic-adc-battery.c
@@ -241,10 +241,9 @@ static int gab_probe(struct platform_dev
 	struct gab *adc_bat;
 	struct power_supply *psy;
 	struct gab_platform_data *pdata = pdev->dev.platform_data;
-	enum power_supply_property *properties;
 	int ret = 0;
 	int chan;
-	int index = 0;
+	int index = ARRAY_SIZE(gab_props);
 
 	adc_bat = devm_kzalloc(&pdev->dev, sizeof(*adc_bat), GFP_KERNEL);
 	if (!adc_bat) {
@@ -276,8 +275,6 @@ static int gab_probe(struct platform_dev
 	}
 
 	memcpy(psy->properties, gab_props, sizeof(gab_props));
-	properties = (enum power_supply_property *)
-				((char *)psy->properties + sizeof(gab_props));
 
 	/*
 	 * getting channel from iio and copying the battery properties
@@ -291,15 +288,12 @@ static int gab_probe(struct platform_dev
 			adc_bat->channel[chan] = NULL;
 		} else {
 			/* copying properties for supported channels only */
-			memcpy(properties + sizeof(*(psy->properties)) * index,
-					&gab_dyn_props[chan],
-					sizeof(gab_dyn_props[chan]));
-			index++;
+			psy->properties[index++] = gab_dyn_props[chan];
 		}
 	}
 
 	/* none of the channels are supported so let's bail out */
-	if (index == 0) {
+	if (index == ARRAY_SIZE(gab_props)) {
 		ret = -ENODEV;
 		goto second_mem_fail;
 	}
@@ -310,7 +304,7 @@ static int gab_probe(struct platform_dev
 	 * as come channels may be not be supported by the device.So
 	 * we need to take care of that.
 	 */
-	psy->num_properties = ARRAY_SIZE(gab_props) + index;
+	psy->num_properties = index;
 
 	ret = power_supply_register(&pdev->dev, psy);
 	if (ret)