Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2038924ybh; Fri, 17 Jul 2020 07:54:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxUg4ZwA6iuCG/6/oBmvI/LacxHK8gU9bKrjYDQ6lDzmE+I4JD6MI3pMxGp65EKh2knhY0k X-Received: by 2002:aa7:c80d:: with SMTP id a13mr9695240edt.327.1594997654348; Fri, 17 Jul 2020 07:54:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594997654; cv=none; d=google.com; s=arc-20160816; b=wRWDsTgkaghhaBv/PLTGN9UWwdTq7xtAXGUO9IqmFOIDYEOOcWfsYF4Cxlyx5QB9mJ kzUmGBb0jLuIG8Vb8ckZjAmtxBFpZ7Pm4SKX3azohceNoY6qsmYOPLzeBEoNY/O3JAl7 1V2OirLeI2pM0PTls8jfeURklGfOHa0Tap4EnraXgDAYtZ6NETCCDZIhZcT2Jc87vfpi s1MD+f7s+mW5UUiU4RuBhqSz46jFZgvY/gqopOubi0tiV54JKnUQm8NwvUkur4z3pun9 vZOCU+JxU1AFRj2ZYZpoYGL+DZhVSLy80G1aBQSA+6vc4QfmV4BHKRAwsRvFfF6GalNU kpoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=zt1+mAVOx/3mKjyaYo2e3wuxWMPkfR5JXzKmNqCP2UQ=; b=JcQrd8j5OMxW/BH8+s0+2hnzd1QuVnAbUx3Mpaew3qT7vCFsnPpmRqpgBz/IRyvZoZ rj1MMxLgOLjzmLVjOJKTQH98Tj0SRaT+DeH27fTU2O6qgeblraA8S1/wjBeOecDXlCGK veWhPGrfdEhAkuqhzO9AKG4o1sXPHpoeWYvjlIOH1raHBuIu0kuUyTqzSGhNjLCH6kkm 9QPCNxSLuiAZq7cKxR7hiXrE+s/nOd3Rmt/k1q9ucWUYOUnrqE7/Tfidc4d2C/J0ii+7 4fQ4Pvm0eSjQFG8fG6BjkLeQGWCLG7rHwil8alB/8iJ7+y2QNRfHJQacGYmAu3MC68m0 hJkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mev.co.uk header.s=20190130-41we5z8j header.b=a78uTA8j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si5322922edr.357.2020.07.17.07.53.51; Fri, 17 Jul 2020 07:54:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mev.co.uk header.s=20190130-41we5z8j header.b=a78uTA8j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726852AbgGQOx1 (ORCPT + 99 others); Fri, 17 Jul 2020 10:53:27 -0400 Received: from smtp97.iad3b.emailsrvr.com ([146.20.161.97]:42307 "EHLO smtp97.iad3b.emailsrvr.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726546AbgGQOxW (ORCPT ); Fri, 17 Jul 2020 10:53:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mev.co.uk; s=20190130-41we5z8j; t=1594997601; bh=6Y8+qjJ3gWicIHj8d37o4gMFEqYOL5hWShpaU+do+CQ=; h=From:To:Subject:Date:From; b=a78uTA8jaLwS1zC/4xh4MfAWps5epUeE0mtJYed36N3ln10UjI+JfiTvih07rJSDN t59Ctdi8VuyRkPxMHVA0hLCbfynf7b4urKlIZw6lzvLDkh/EONlowbOBoSjj7cMc+v Dq2kYK7keYrt7tCTYGTlVtmBK9meJ1MHuFZzmU9M= X-Auth-ID: abbotti@mev.co.uk Received: by smtp5.relay.iad3b.emailsrvr.com (Authenticated sender: abbotti-AT-mev.co.uk) with ESMTPSA id 708A7401B7; Fri, 17 Jul 2020 10:53:20 -0400 (EDT) From: Ian Abbott To: devel@driverdev.osuosl.org Cc: Greg Kroah-Hartman , Ian Abbott , H Hartley Sweeten , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 3/4] staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift Date: Fri, 17 Jul 2020 15:52:56 +0100 Message-Id: <20200717145257.112660-4-abbotti@mev.co.uk> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200717145257.112660-1-abbotti@mev.co.uk> References: <20200717145257.112660-1-abbotti@mev.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Classification-ID: 3cd28aa4-5d40-4a0c-a681-8cbccbead0a1-4-1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The `INSN_CONFIG` comedi instruction with sub-instruction code `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is used as a right shift amount for other bitmask values without being checked. Shift amounts greater than or equal to 32 will result in undefined behavior. Add code to deal with this. Fixes: 1e15687ea472 ("staging: comedi: addi_apci_1564: add Change-of-State interrupt subdevice and required functions" Cc: #3.17+ Signed-off-by: Ian Abbott --- .../staging/comedi/drivers/addi_apci_1564.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/staging/comedi/drivers/addi_apci_1564.c b/drivers/staging/comedi/drivers/addi_apci_1564.c index 10501fe6bb25..1268ba34be5f 100644 --- a/drivers/staging/comedi/drivers/addi_apci_1564.c +++ b/drivers/staging/comedi/drivers/addi_apci_1564.c @@ -331,14 +331,22 @@ static int apci1564_cos_insn_config(struct comedi_device *dev, unsigned int *data) { struct apci1564_private *devpriv = dev->private; - unsigned int shift, oldmask; + unsigned int shift, oldmask, himask, lomask; switch (data[0]) { case INSN_CONFIG_DIGITAL_TRIG: if (data[1] != 0) return -EINVAL; shift = data[3]; - oldmask = (1U << shift) - 1; + if (shift < 32) { + oldmask = (1U << shift) - 1; + himask = data[4] << shift; + lomask = data[5] << shift; + } else { + oldmask = 0xffffffffu; + himask = 0; + lomask = 0; + } switch (data[2]) { case COMEDI_DIGITAL_TRIG_DISABLE: devpriv->ctrl = 0; @@ -362,8 +370,8 @@ static int apci1564_cos_insn_config(struct comedi_device *dev, devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; case COMEDI_DIGITAL_TRIG_ENABLE_LEVELS: if (devpriv->ctrl != (APCI1564_DI_IRQ_ENA | @@ -380,8 +388,8 @@ static int apci1564_cos_insn_config(struct comedi_device *dev, devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; default: return -EINVAL; -- 2.27.0